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Abstract 

In this paper we present refinement modal logic. A refinement is like a bisimula- 
tion, except that from the three relational requirements only 'atoms' and 'back' need 
to be satisfied. Our logic contains a new operator V in additional to the standard 
modalities □ for each agent. The operator V acts as a quantifier over the set of all 
refinements of a given model. We call it the refinement operator. As a variation on a 
bisimulation quantifier, it can be seen as a refinement quantifier over a variable not 
occurring in the formula bound by the operator. The logic combines the simplicity 
of multi-agent modal logic with some powers of monadic second order quantification. 
We present a sound and complete axiomatization of multiagent refinement modal 
logic. We also present an extension of the logic to the modal /u-calculus, and an 
axiomatization for the single-agent version of this logic. Examples and applications 
are also discussed: to software verification and design (the set of agents can also be 
seen as a set of actions), and to dynamic epistemic logic. We further give detailed 
results on the complexity of satisfiability, and on succinctness. 
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1 Introduction 

Modal logic is frequently used for modelling knowledge in multi-agent systems. The se- 
mantics of modal logic uses the notion of "possible worlds", between which an agent is 
unable to distinguish. In dynamic systems agents acquire new knowledge (say by an an- 
nouncement, or the execution of some action) that allows agents to distinguish between 
worlds that they previously could not separate. From the agent's point of view, what were 
"possible worlds" become inconceivable. Thus, a future informative event may be modelled 
by a reduction in the agent's accessibility relation. In [15] the future event logic is intro- 
duced. It augments the multi-agent logic of knowledge with an operation Wip that stands 
for "y? holds after all informative events" — the diamond version 3^9 stands for "there is 
an informative event after which ip." The proposal was a generalization of a so-called ar- 
bitrary public announcement logic with an operator for "99 holds after all announcements" 
[7j. The semantics of informative events encompasses action model execution a la Baltag 
et al [8] : on finite models, it can be easily shown that a model resulting from action model 
execution is a refinement of the initial model, and for a given refinement of a model we 
can construct an action model such that the result of its execution is bisimilar to that 
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refinement. In |l6] an axiomatization of the single- agent version of this logic is presented, 
and also expressivity and complexity results. These questions were visited in both the 
context of modal logic, and of the modal /i-calculus. 

In the original motivation, the main operator 3 had a rather temporal sense — therefore 
the 'future event' name. However, we have come to realize that the structural transfor- 
mation that interprets this operator is of much more general use, on many very different 
kinds of modal logic, namely anywhere where more than a mere model restriction or prun- 
ing is required. We have therefore come to call this the refinement operator, and the logic 
refinement modal logic. 

Thus we may consider refinement modal logic to be a more abstract perspective of fu- 
ture event logic [15] applicable to other modal logics. To any other modal logic! This is 
significant in that it motivates the application of the new operator in many different set- 
tings. In logics for games [Ml [3] or in control theory [391 US], it correspond to a player 
discarding some moves; for program logics [24j it may correspond to operational refinement 
[52]; and for logics for spatial reasoning it may correspond to sub-space projections [33] . 

Let us give an example. Consider the following structure. The o state is the 
designated point. The arrows can be associated with a modality. 

o * • » • » • 

E.g., OOOn_L is true in the point. From the point of view of the modal lan- 
guage, this structure is essentially the same structure (it is bisimilar) as 

• ■* • ■* • ■* o » • » • *■ • 

This one also satisfies OOOn± and any other modal formula for that matter. 
A more radical structural transformation would be to consider submodels, such 
as 

o ». • *. • 

A distinguishing formula between the two is OOn±, which is true here and false 
above. Can we consider other 'submodel-like' transformations that are neither 
bisimilar structures nor strict submodels? Yes, we can. Consider 

• * o * • » • 

It is neither a submodel of the initial structure, nor is it bisimilar. It satisfies 
the formula OOn_L A OOOn± that certainly is false in any submodel. We call 
this structure a refinement (or 'a refinement of the initial structure'), and the 
original structure a simulation of the latter. Now note that if we consider the 
three requirements 'atoms', 'forth', and 'back' of a bisimulation, that 'atoms' 
and 'back' are satisfied but not 'forth', e.g., from the length-three path in the 
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original structure the last arrow has no image. There seems to be still some 
'submodel-like' relation with the original structure. Look at its bisimilar dupli- 
cate (the one with seven states). The last structure is a submodel of that copy. 
Such a relation always holds: a refinement of a given structure can always be 
seen as the model restriction of a bisimilar copy of the given structure. This 
work deals with the semantic operation of refinement, as in this example, in full 
generality, and also applied to the multi-agent case. 

Previous works fl6\ 130] employed a notion of refinement. In |30] it was shown that 
model restrictions were not sufficient to simulate informative events, and they introduced 
refinement trees for this purpose — a precursor of the dynamic epistemic logics developed 
later [17]. 

In order to abstract from a particular implementation, a entire theory of modal specifi- 
cations has been developed (STJHT], which relies on a refinement preorder, known as modal 
refinement. Modal specifications are deterministic automata equipped with transitions of 
two types: may and must. Informally, a must-transition is available in every component 
that implements the modal specification, while a may-transition need not be. Its definition 
is close to our definition of refinement (as it is some kind of submodel quantifier), but the 
two notions are incomparable. Although may and must correspond to different modalities, 
there is no way to associate may and must with different (and independent) agents, because 
must is a subtype of may. 

We incorporate implicit quantification over informative events directly into the language 
using, again, a notion of refinement; in our case a refinement is the inverse of simulation 
[Ij. The work is closely related to some recent work on bisimulation quantified modal 
logics [T5l [T8] . The refinement operator, seen as refinement quantifier, is weaker than a 
bisimulation quantifier [15|, as it is only based on simulations rather than bisimulations, 
and as it only allows us to vary the interpretation of a propositional variable that does not 
occur in the formula bound by it. Bisimulation quantified modal logic has previously been 
axiomatized by providing a provably correct translation to the modal //-calculus [L^. This 
is reputedly a very complicated one. The axiomatization for the refinement operator, in 
stark contrast, is quite simple and elegant. 

Overview of the paper Section [2] gives a wide overview of our technical apparatus: 
modal logic, cover logic, modal //-calculus, and bisimulation quantified logic. Section [3] 
introduces the semantic operation of refinement. This includes a game and (modal) logical 
characterization. Then, in Section IH we introduce two logics with a refinement quantifier 
that is interpreted with the refinement relation: refinement modal logic and refinement 
/t-calculus. Section [5] contains the axiomatization of that refinement modal logic and 
the completeness proof. We demonstrate that is is equally expressive as modal logic. 
We mention results for model classes /CD45 and S5. Section El gives the axiomatization 
of refinement /i-calculus. Again, we have a reduction here, to standard /i-calculus. In 
Section [7| we show that, although the use of refinement quantification does not change the 
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expressive power of the logics, they do make each logic exponentially more succinct. We 
give a non-elementary complexity bound for refinement modal //-calculus. 

2 Technical preliminaries 

Throughout the paper we assume a finite set of agents A and a countable set of propositional 
variables P as background parameters when defining the structures and the logics. Agents 

are named a, b, a', and propositional variables are p, q, r,p',p",pi,p2, Agent a is 

assumed female, and b male. 

Structures A model M = {S, R, V) consists of a domain S of (factual) states (or worlds), 
an accessibility function R : A ^ V{S x S), and a valuation V : P ^ "Pi^)- States are 
s,t,u,v, s', . . . , Si, . . . For s & S, Mg is a pointed model. For R{a) we write Ra] accessibility 
function R can be seen as a set of accessibility relations i?a, and y as a set of valuations 
V{p). Given two states s, s' in the domain, i?a(s, s') means that in state s agent a considers 
s' a possibility. We will also use a relation Ra simply as a set of pairs C S* x 5*. and use the 
abbreviation sRa = {t G 5* | (s, t) e Ra}- As we will be often required to discuss several 
models at once, we will use the convention that M = {S^\ i?^, V*^), = (5^, i?^, V^), 
etc. The class of all models (given parameter sets of agents A and propositional variables 
P) is denoted /C. The class of all models where for all agents the accessibility relation 
is reflexive, transitive and symmetric is denoted 55, and the model class with a serial, 
transitive and euclidean accessibility relation is denoted JCDib. 

Multi-agent modal logic The language L of multi-agent modal logic is inductively 
defined as 

(/? I -!(/? I (</? A </?) I 

where a & A andp e P. Without the construct {Ja^ we get the language Cq of propositional 
logic. Standard abbreviations are: (/? V ■?/' iff "'("'V' A (/?—>■?/' iff -k/? V t/', T iff p V -"p, 
_L iff p A -ip, and O^v^ iff "iDa""/^- If there is a single agent only {\A\ = 1), we may write 
□99 instead of Oa^- Formula variables are (p, ip, %, (^', . . . , ipi, . . . and for sets of formulas 
we write $, ^, . . . For a finite set $ of £ formulas we let the cover operator Va$ be an 
abbreviation for □„ V<^e3- ^ ^ A<^e# OaV, we note V<^g0 <P is always false, whilst A<pe0 <P is 
always true. 

Given a finite set of formulae \E' = {ipi, . . . ,ipn} and a formula (p with possible occur- 
rences of a propositional variable p. Let (p[ilj\p] denote the substitution of all occurrences 
of p in 99 by tp. Then <^[\E'\]9] abbreviates {^[ipiXp], . . . ,P>[4'n\p]}, and similarly \/ ip['^\p] 
stands for (p[i/ji\p\ V ... V </7['0n\p] and /\ </7[^\p] stands for (p[i/;i\p] A ... A (/?['0n\p]- For 
example, the definition of Va$ is written as Da V ^ ^ A ^a^- 

We now define the semantics of modal logic. Assume an epistemic model M — {S, R, V). 
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The interpretation of (y9 G £ is defined by induction. 

M, 1= p iff s G Vp 

Ms 1= -y^ iff M, ^ 

Ms \= ^Aip iS Ms 1= and M, |= 

Ms 1= □a'/' iff for alH G S* : (s, t) G -Rq implies Mt \= ip 

A formula (p is valid on a model M, notation M \= ip, iS for all s G S*, |= y?; and ip is 
valid iff <y9 is valid on all M (in the model class /C, given agents A and basic propositions 
P). The set of validities, i.e., the logic in the stricter sense of the word, is called K. 

Cover logic The cover operator V has also been used as a syntactic primitive in modal 
logics ^14j . It has recently been axiomatized [9] . The language £ v of cover logic is defined 
as 

ip ::= p\ ^ip \ {ip Aip) \ Va{^, •••,¥'}, 

where p E P, and a G A. The semantics of Va$ is the obvious one if we recall our 
introduction by abbreviation of the cover operator: 

Ms \= Va$ iff for all (y9 G $ there is a t G sRa such that Mf \= f, and for all 
t G sRa there is a G $ such that Mj |= ip. 

The set of validities of cover logic is called Ky- The conjunction of two cover formulae is 
again equivalent to a cover formula: 

Va$AVa^ ^ Va( $A U (V-^") ) . 

The modal box and diamond are definable as Dafp iff Va0 V Vaif}, and Oaf iff ^aif, T}, 
respectively. Cover logic Ky is equally expressive as modal logic K (also in the multi-agent 
version) [HI EH] • We use cover operators in the presentation of the axioms. 

Modal |U-calculus For the modal /i-calculus, apart from the set of propositional variables 
P we have another parameter set X of variables to be used in the fixed-point construction. 
The language of modal /x- calculus is defined as follows. 

ip ::= X \ p \ ^ip \ {ifi A ifi) \ Daf \ fJ'X.ifi 

where aEA, xEX,pEP, and where in fix.ip the variable x only occurs positively (i.e. 
in the scope of an even number of negations) in the formula ip. We will refer to a variable 
X in an expression fix.ip as a fixed-point variable. The formula up.ip is an abbreviation for 
-'fix.-'ip[-'x\x]. 

For the semantics of the /i-calculus, the valuation V of propositional variables is ex- 
tended to include fixed-point variables. We write V^^'^'^^ for the operation that changes a 
given valuation V into one wherein V{x) = T (where T C S*) and the valuation of all other 
fixed-point and propositional variables remains the same. Given a model M = {S,R,V), 
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we similarly write M'^'"^-^' for the model M = (S", i?, V^'^'"^'^'). The semantics of fxx.ip (the 
top-down presentation, not the bottom-up presentation) is now as follows: Let if & and 
model M be given. 

Ms h t^x.^ iff s e p|{T C 5 I {u I Mt^^^l ^ (^} c T} 

Disjunctive formula An important technical definition we require later on is that of a 
disjunctive formula. A disjunctive formula is specified by the following abstract syntax: 

ip ::= a; I (v3 V V?) I (v^o A l\ Va{v^ • • • , V'}) I ^^x.ip \ vx.ip (1) 

where p G P, x G X, i^q ^ -^o (propositional logic), and B C A. To get the disjunctive C 
formula (of modal logic) we omit the clauses containing /x-calculus variables x: 

(f ::= (<^ V (^) I ((^0 A AaeB ^aW, • • • , <^})- 

If the context of the logic is clear, we simply write disjunctive formula (or df). If S = 0, 
we have that Aaes ^a{fi, • • • , V^n} = T, as expected. 

Every formula is equivalent to a disjunctive formula [25]. (2a) 

Every C formula is equivalent to a disjunctive C formula [48]. (2b) 

Bisimulation quantified modal logic The language £y is defined as 

ip :■= p \ ^ip \ {ip A (p) \ UaV I Vpv^ 

where a & A and p & P. We let 3p(p abbreviate -i^ip-np. We write V and 3 for the 
bisimulation quantifiers in order to distinguish them from the refinement quantifiers V and 
3, to be introduced later. Given an atom p and a formula ip, the expression 3pip means 
that there exists a denotation of propositional variable p such that ip. It is interpreted as 
follows (restricted bisimulation ~^ is introduced further below in Definition [1]). 

Ms h ^Pf iff there is a Nt such that Nt Ms and Nt \= ip 

In [181 Lemma 2.43] a bisimulation quantifier characterization of fixed points is given. The 
characterization employs the universal modality ■ which quantifies over all states in the 
model. (Let be the language of bisimulation quantified modal logic with ■ as well.) 
The only crucial clauses in the inductively defined translation t : ^ are those for 
the fixed-point operators. The atoms p in the translation are required not to occur in ip. 

t{ux.ip) is equivalent to 3p(p A ■(p — )■ t{ip[p\x\))) (3a) 

t{fix.ip) is equivalent to Wp(M(t{ip[p\x]) p) ^ p) (3b) 
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The first equation captures the intuition of a greatest fixed point as a least upper bound 
of the set of states that are prefixed points of v?, whereas the second equation captures 
a least fixed point as the greatest lower bound of the set of states that are postfixed 
points of From |T3] we know that bisimulation quantifiers are also expressible in the 
modal /x-calculus, and thus these equivalences also hold in the modal /^-calculus. For more 
information on the modal /i-calculus, see US] . 

3 Refinement 

In this section we define the notion of structural refinement, investigate its properties, give 
a game characterization in (basic) modal logic, and compare refinement to bisimulation 
and other established semantic notions in the literature. 

3.1 Refinement and its basic properties 

Definition 1 (Bisimulation, simulation, refinement) Let two models M = {S, R, V) 
and M' = {S',R',V') be given. A non-empty relation Dl <^ S x S' is a bisimulation if for 
all (s, s') G 9^ and a E A: 

atoms s E V{p) iff s' G V'{p) for all p E P; 

forth-a for all t E S, if Ra{s,t), then there is at' E S' such that R'^{s',t') and {t,t') E D\; 

back-a for all t' E S' , if R'^{s' , t') , then there is a t E S such that Ra{s,t) and {t,t') E 

We write M ~ M' (M and M' are bisimilar) iff there is a bisimulation between M and 
M' , and we write Ms — M'^, (Mg and M'^, are bisimilar) iff there is a bisimulation between 
M and M' linking s and s' . A restricted bisimulation : Ms M'^, is a bisimulation 
that satisfies atoms for all variables except p. A total bisimulation is a bisimulation such 
that all states in the domain and codomain occur in a pair of the relation. 

A relation that satisfies atoms, back-a, and forth-a for every a E A\B, and that 
satisfies atoms, and back-6 for every h E B, is a i? -refinement, and in that case M^, is 
(also called) a 5-refinement of Ms, and we write Ms M'^,. An A-refinement we call a 
refinement (plain and simple) and for {a} -refinement we write a-refinement. Dually, we 
similarly define the i? -simulation &b- We also similarly define restricted refinement and 
restricted simulation. H 

The definition of simulation and refinement above varies slightly from the one given by 
Blackburn et al. fiU\ p. 110]. Here we ensure that simulations and refinements preserve the 
interpretations (i.e., the truth and falsity) of atoms, whereas [lO] has them only preserve 
the truth of propositional variables in a simulation — and presumably preserve their falsity 
in a refinement. We prefer to preserve the entire interpretation, as we feel it suits our 
applications better. For example, in the case where refinement represents information 
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change, we would not wish basic facts to become false in the process. The changes are 
supposed to be merely of information, and not factual. 

We allow ourselves to overload the term refinement in the following way (as in the 
definition): if '■ Mg M'^, then we call "Sb a refinement but we also call M^, a 
refinement of Mg. The context will disambiguate. This is similar to the double use of the 
term simulation. 

In an epistemic setting a refinement corresponds to the diminishing uncertainty of 
agents. This means that there is a potential decrease in the number of states and transitions 
in a model. On the other hand, the number of states as a consequence of refinement may 
also increase, because the uncertainty of agents over the extent of decreased uncertainty 
in other agents may still increase. This is perhaps contrary to the concept of program 
refinement [32| where detail is added to a specification. However, in program refinement 
the added detail requires a more detailed state space (i.e., extra atoms) and as such is 
more the domain of bisimulation quantifiers, rather than refinement quantification. Still, 
the consequence of program refinement is a more deterministic system which agrees with 
the notion of diminishing uncertainty. 

Proposition 2 The relation is reflexive and transitive (a pre-order), and satisfies the 
Church-Rosser property. H 

Proof Refiexivity follows from the observation that the identity relation satisfies atoms, 
and back-a and forth-a for all agents a, and therefore also the weaker requirement for re- 
finement. Similarly, given two a-simulations fKi, and 9^2, we can see that their composition, 
{{x,z) I there is a y for which {x,y) G {y,z) G 9^2} is also an a-refinement. This is 
sufficient to demonstrate transitivity. The Church-Rosser property states that if A^^^ Mg 
and Nt M'^,, then there is some model Nj., such that Mg Nj., and M^, A^^',. From 
Definition [1] it follows that Mg and M^, must be bisimilar to one another with respect 
to A — {a}. We may therefore construct such a model A^^, by taking Mg (or M^) and 
setting R^' = and R^' = Rff for all 6 G A — {a}. It can be seen that A''^', where 
A^' = (S"*^, R'^ , V'^) satisfies the required properties. □ 

An elementary result is the following. 

Proposition 3 Let B = {ai, a„}, and Mg and Mt given. Then Mgl^ai o ■ ■ ■ o '^an)^t 
tff-Mg^BMt. H 

Example 4 If Nt Mg and Mg Nt, it is not necessarily the case that Mg ~a Nt. For 
example, consider the one-agent models M and N where: 

• = {1, 2, 3}, = {(1, 2), (2, 3)} and V'^^p) = for all p G P; and 

• = {4, 5, 6, 7}, R^ = {(4, 5), (5, 6), (4, 7)} and V^^{p) = for all peP. 

These two models are clearly not bisimilar, although N^ Mi via {(4, 1), (5, 2), (6, 3)} 
and Ml ha Ni via {{1,4:), {2, 5), {3, 6), {2, 7)}. See Figure^ H 
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Figure 1: Refinement and simulation, but no bisimulation 

Given that the equivalence Mg = Nt defined by Mg ^ Nt and Mg >z Nf is not a 
bisimulation, an interesting question seems to be what it then represents. It seems to 
formalize that two structures are only different in resolvable differences in uncertainty (for 
the agent of the refinement), but not in hard and necessary facts. So the positive formulas 
(for that agent) should be preserved under this 'equivalence' =. Such matters will now be 
addressed. 

3.2 Game and logical characterization of refinement 

It is folklore to associate a (infinite) two-player game safety game with refinement, in the 
spirit of [2]. 

Definition 5 (Refinement game) Let Mg and Nt be two models. We define a turn-based 
game Qa{Mg, Nt) between two players Spoiler anc? Duplicator (male and female, respec- 
tively) by Qa{Ms, Nt) = (y, E, (s, if:)) where the set of positions V is partitioned into the po- 
sitions V^spoiier = "S*^ X "S"*^ o/ Spoiler and the positions Vi)upiicator = S'^ x [{forth, back} x 
{AU P)] X 5*^ o/ Duplicator. Since the initial position {s,t) G V^poiier? Spoiler starts. 
The set of moves E C V^gpoiier x '^^upiicator U ^Duplicator X ^Spoiler is thc Icast sct such that 
the following pairs belong to E (we take the convention that b ^ a, and for convenience, 
we name those moves with names similar to the properties of refinement in DefinitionU\): 
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Spoiler 

A^ovc 


AfnTTip nf fhp Tfiniip 


{{s',t'), (s', {forth, p),t')) whenever s' G V'^'^p) 
{{s',t'), (s', (back, pi), t')) whenever t' e V^''{p) 
lis', t'), {s", {forth, h),t')) whenever s" e i?f (s') 
{{s', t'), {s', {hack, h),t")) whenever t" E R^{t') 
((s' t') is' (hack a) t")) whenever t" G B^(t') 


forth-p ? 
back-p ? 
forth-b? 
back-b? 
ba,ck-a, ^ 


Duplicator 

Move 


Name of the move 


{{s', {forth, p),t'), {s',t')) whenever t' G V'^'^p) 
{{s', {hack,p),t'), {s' ,t')) whenever s' G V^\p) 
{{s", {forth, h),t'), {s", t")) whenever t" G R^{t') 
{{s', {back, h),t"), {s", t")) whenever s" G i?f (s') 
{{s', {hack, a),t"), {s" , t")) whenever s" G i?f (s') 


forth-p! 
back-p! 
forth-b! 
back-b! 
back- a! 



A play in Qa{Ms,Nt) is winning for Duplicator iff it is infinite. 



Notice that there is no forth-a move in the game Qa{Ms, Nt), which captures the refinement 
relation between the structures: 

Lemma 6 Mg Nt Zj(f Duplicator has a winning strategy in Qa{Ms,Nt). H 

Proof Assume Duplicator has a winning strategy in Qa{Ms,Nt). Because we are only 
interested in a safety game, hence it is a regular position, we can assume without loss 
of generality that this winning strategy is memoryless [21]. Namely, the strategy a of 
Duplicator is a function from l^upucator to Vgpoiier that tells her how to play. On the 
basis of (J, one can define the binary relation F„ C 5''^ x S"^ as the set of pairs (s', t') such 
that, in the game Qa{Ms, Nt), position {s' ,t') G Vspoiier is reachable when Duplicator 
follows her strategy a. Then is easy to check that F^j is an a-simulation from to A^^^. 
Also it is not difficult to see that if some a-refinement exists from to Nt, then 
any strategy of Duplicator which consists in maintaining Spoiler's positions in is 
winning. Note that this is always possible for her. □ 

We now consider a characterization of the refinement in terms of the logic C\j. Namely, 
given an agent a, we define the fragment of the a-positive formulas C £ by 

£«+ 3 :■= p \ ^p \ {i^ ^ ^) \ {i^y ^) \ Ub^ I Ofe</? I Oa^ 
where h E A \ {a] and p E P. 

Proposition 7 For any finitely branching (every state has only finitely many successors) 
models M and N, for any sq G , for any to G S'^ , and for any agent a E A, 

Msg Ntg if, and only if, for every ip G Nt^ \= ip implies Mg^ |= V'- H 
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Proof Let us first establish that for every t e and s e if Spoiler has a wmnme 
strategy in Qa{Ms, Nt), then there exists a formula f{s,t) G called a distinguishing 
formula for {Ms,Nt), which satisfies A^^ |= (p{s,t) but Mg ^ ip{s,t). Note that if Spoiler 
has a winning strategy in Qa{Ms, Nt), all plays induced by this strategy have finite length 
and end in a position where Duplicator cannot move. 

We reason by induction on k, the maximal length of these plays; note that because 
Spoiler starts, A; > 0. 

If A; = 1, Spoiler has a winning move from (s,t) to some v G ^Duplicator, where 
Duplicator is blocked. We reason on the form of v. 

• if f = (s, {forth,p),t) (resp. v = (s, {back,p),t)), then there is no move back to (s, t) 
because t ^ V^^(p) (resp. s ^ V^^ (p)). A distinguishing formula is -^p (resp. p). 

• ifv = {s', {forth,b),t) (resp. v = (s, {back,b),t')), then tR^ = (resp. sRf = 0). 
A distinguishing formula is \Jb-^ (resp. O^T). Since forth-a moves are not allowed in 
the game, position v = (s', {forth, b),t) is not reachable in the game Qa{Ms, Nt), so 
that the formula Da-L ^ is not needed. 

Assume now that k > 1, and pick a winning strategy of Spoiler in Qa{Ms, Nt). From 
initial position (s, t), we explore the move given by this strategy (because k > 1, this move 
cannot be either forth-p?, or back-p?). Three cases remain. 

forth-b? The reached position becomes {s' , {forth, b),t), and from there Duplicator 
loses. That is, for each t' G tR^ , Spoiler wins the game Qa{Ms', Nf) in at most 
k — 2 steps. By the induction hypothesis, there exists a distinguishing formula 
(p{s',t') G for {Ms',Nt'). It is easy to see that ^{s,t) = [jb{\/t'&R^ ^i^'^'^')) 
is a distinguishing formula for {Ms, Nt); notice that since A^ is finitely branching, the 
conjunction is finitary. 

back-b? This case applies b ^ a and to 6 = a. 

The reached position becomes {s, {back, b),t'), and from there Duplicator loses. Us- 
ing a similar reasoning as for forth-b moves, it is easy to establish that there exists 
a formula ip{s',t') G C"'^, such that (p{s,t) = Ob{/\g, ^^gjiM ip{s' ,t')) is a distinguish- 
ing formula for {Ms,Nt); here, as M is finitely branching, a finitary disjunction is 
guaranteed. 

Now, according to the game characterization of refinement (Lemma [6]), and the fact 
the existence of a winning strategy for Spoiler from position (so,to) is equivalent to 
Msg Ntg , we obtain the right to left direction of the proposition. For the other direction, 
assume Mg Nt, and let ip G with Nt \= ip. We prove that Mg \= (p, by induction 
over the structure of the formula. Basic cases where ip is either p or -ip, but also the cases 
ip Alp and ipM ip, are immediate. 

Assume Nt |= UbV- Then for every t' G tR^ , Nt' \= ip. If tR^ = 0, then by Property 
forth-b of Definition [1] this entails sR^^ = and consequently Mg \= [j^ip (whatever ip is). 
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Otherwise, tR^ ^ 0. Take an arbitrary s' G sR^^ . By Property forth-b of Definition [H 
there is a t' , G t-RF with M^/ Nt' and Nt' |= v^. By induction hypothesis, Mgi \= yj, 
which entails M, |= Uh'^- 

Assume A''^ |= Of,v^, and let t' G tR^ be such that A^t' |= ip. By Property back-b of 
Definition [H there is some s' G sR^^ , such that Mg' Af'. By induction hypothesis, 
Ms' 1= which entails |= Of,'/'- 

Note that the argument still holds if we take b = a. □ 

3.3 Refinement as bisimulation plus model restriction 

A bisimulation is also a refinement, but refinement allows much more semantic variation. 
How much more? There is a precise relation. Semantically, a refinement is a bisimulation 
followed by a model restriction. 

An a-refinement needs to satisfy back for that agent, but not forth. Let an ('initial') 
model and a refinement of that model be given. For the sake of the exposition we assume 
that the initial model and its refinement are minimal, i.e., they are bisimulation contrac- 
tions. Now take an arrow (a pair in the accessibility relation) in that initial model. This 
arrow may be missing in the refinement, namely when forth is not satisfied for that arrow. 
On the other hand, any arrow in the refinement should be traceable to an arrow in the 
initial model - the back condition. There may be several arrows in the refinement that are 
traceable to the same arrow in the initial model, because the states in which such arrows 
finish may be non-bisimilar. In other words, we can see the refinement as a blowup of the 
initial model and then cutting off bits and pieces. 

Example 8 A simple example is as follows. Consider the structure 

• i * #2 ► •s ^ "4 

and its refinement 

•y ■* •a * •b ► •c 

by way of refinement relation 9^ = {(l,a), (2,6), (3,c), (2,6')}. The arrow (3,4) has no 
image in the refinement. On the other hand, the arrow (1, 2) has two images, namely (a, b) 
and (a, b'). These two arrows cannot be identified, because b and b' are non-bisimilar: there 
is yet another arrow from b but no other arrow from b' . This reflects that arrow (2, 3) has 
'only ' one image in the refined model, not for both images of 2. H 

There is yet another perspective. This makes the relation to restricted bisimulations 
clear. When expanding the initial model, the blowing up phase, make a certain proposi- 
tional variable false in all states of the blowup that you want to prune (that are not in the 
refinement relation) and make it true in all states that you want to keep. Therefore, the 
blown up model is bisimilar to the initial model except for that variable. (In other words, 
it is a restricted bisimulation.) Then, remove arrows to state where that atom is false. 
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Example 9 Continuing the previous example, consider the following structure bisimilar 
to the initial model, except for the value of atom p — let us say that • represents that p is 
true and o represents that p is false. 

Od' < Oc' ■* •&' ^ » •b *■ 'c *■ °d 

The relation 91 = {(1, a), (2, 6), (3, c), (4, d), (2, 6'), (3, c'), (4, d')} is a bisimulation, ex- 
cept for the value of p. We get the refinement from the previous example by removing the 
o states and arrows leading to it. H 

Winding up, performing an a-refinement clearly corresponds to the following operation: 

Given a pointed model, first choose a bisimilar pointed model, then remove 
some pairs from the accessibility relation for a in that model. 

Given a propositional variable q, this has the same semantic effect as 

Given a pointed model, first choose a bisimilar pointed model except for variable 
q, such that q is (only) false in some states that are accessible for a, then remove 
all those pairs from the accessibility relation for a. 

In other words: 

Given a pointed model, first choose a bisimilar pointed model except for variable 
q, then remove all pairs from the accessibility relation for a pointing to states 
where q is false. 

If we do this for all agents at the same time (or if we strictly regard tree unwindings of 
models only), we can even see the latter operation as follows: 

Given a pointed model, first choose a bisimilar pointed model except for variable 
q, then restrict the model to the states where q is true. 

Formally, the result is as follows. In the following, given a model M with accessibility 
relation (set of accessibihty relations) R, and R' C i?, M\R' is the model that is as M but 
with the accessibihty restricted to R'. Similarly, M\p is the restriction of M to the states 
satisfying p (with the corresponding restriction in accessibility relation and valuation) . 

Proposition 10 

• Given Mg Nt, there is a N[ (with accessibility function R') and some R" that is 
as R! except that R" C R'^, such that Ms ~ and N[\R!' ~ Nf 

• Given Ms Nt, there is a N[ (with accessibility function R' ) and some p E P 
such that Ms ~p and N[\RI' = Nt, where R" is as R! except that {u,u') e R'^ iff 

K 1= p- 

• Given Mg ba ^t, there is a N[ and some p & P such that Ms ~^ N^. and Nl\p = A^j.H 
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Proof We only demonstrate how to construct the proper model A'^' in the first item, and 
how to value p for use in the second item. 

Let an a- refinement relation ^ S'^ x be given (such that (s,t) G ^a)- We 
expand the model and this relation as follows to a model N' and a bisimulation 
91 C S'^ X S'^ . For all v such that {u, v) G for some u and (m, u') G for some u', 
and for which there is no v' in such that G (in other words, forth is lacking), 

add V to the model and also {u',v) to , and (f , f ) to ^a- The resulting model is A^^' 
and the resulting relation 9^ is a bisimulation. Removing these added pairs again returns 
Nti so we even have that Ms — Nj- and N^R" = Nt, beyond the proof requirement. 

To further satisfy the requirement for p in the second item, we make p false in all such 
states V with an a-image lacking forth, and true anywhere else. □ 

In Section HTSl we build upon this semantic result by translating the logic with refinement 
quantifiers into the logic with bisimulation quantifiers plus relativization of formulae. 

3.4 Refinement and action models 

We recall another important result connecting structural refinement to action model ex- 
ecution [8]. For full details, see |15]. An action model M = (S, R, pre) is like a model 
M = {S, R, V) but with the valuation replaced by a precondition function pre : S — )■ £ 
(for a given language C). The elements of S are called action points. A restricted modal 
product (M® M) consists of pairs (s, s) such that Mg \= pre(s), the product of accessibility 
relations namely such that ((s, s), (t, t)) G Ra iff (s,t) G Ra and (s, t) G Rq, and keeping 
the valuation of the state in the pair: (s,s) G V{p) iff s G V{p). A pointed action model 
Ms is an epistemic action. 

Proposition 11 The result of executing an epistemic action in a pointed model is a re- 
finement of that model. Dually, for every refinement of a finite pointed model there is 
an epistemic action such that the result of its execution in that pointed model is a model 
bisimilar to the refinement. fJSl Prop. 4, 5] H 

It is instructive to outline the proof of these results. 

Given pointed model Mg and epistemic action Ms, the resulting (M® M)(s^s) is a refine- 
ment of Ms by way the relation 9^ consisting of all pairs {t, (t, t)) such that Mt \= pre(t). 
Some states of the original model may get lost in the modal product, namely if there is no 
action whose precondition can be executed there. But all 'surviving' (state, action)-pairs 
simply can be traced back to their first argument: clearly a refinement. 

For the other direction, construct an epistemic action M^' that is isomorphic to a 
given refinement A^^' of a model Ms, but wherein valuations (determining the value of 
propositional variables) in states t & N are replaced by preconditions for action execution 
of the corresponding action points (also called) t. Precondition pre(t) should be satisfied 
in exactly those states s G M such that (s, t) G 9^, where 9^ is the refinement relation 
linking Ms and Ns'. Now in a finite model, we can single out states (up to bisimilarity) by 
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a distinguishing formula [TT]. One then shows that (M ® M, (s,s')) can be bisimulation- 
contracted to Ng/. It is unknown if the finiteness restriction can be hfted, because the 
existence of distinguishing formulae plays a crucial part in the proof. 

After introducing refinement modal logic, in Section HI Example 14.21 presents an action 
model and its execution in an initial information state, and we will there continue our 
reflections on the comparison of the frameworks. 

3.5 Refinement and pruning 

Just as refinement is not mere model restriction, it is also immediate to see that refinement 
is not mere pruning: consider a model M consisting of a single state s with an a-loop. The 
model M' with three states 81,82,83 such that Ra = {(si, S2), (si, S3), (53, S3)} satisfies 
M M' but is not bisimilar to any pruning of M. 

For refinement and pruning to coincide, one can for example restrict the semantics to 
the class of deterministic models, that is models such that every accessibility relation Ra 
is a functional. This is precisely the classic setting considered in control theory. We refer 
to Section 14.21 where an example will be given. 

Also, pruning plays an important role in game theory, where strategies are in one-to- 
one correspondence with prunings of the unraveled arena. However, refinement is enough 
to consider: for example, concerning turn-based 2-player zero-sum games with cu-regular 
winning conditions [21], we have the following: if G and G' are two bisimilar arenas, then 
a player has a winning strategy in G iff she has winning strategy in G'. Therefore, for a 
given arena G, the existence of a refinement of G such that the winning conditions hold is 
equivalent to determining the existence of a winning strategy in G itself. This last remark 
strengthens the relevance of our refinement operator. 

3.6 Refinement and modal specifications refinement 

Modal specifications are classic, convenient, and expressive mathematical objects that rep- 
resent interfaces of component-based systems [291 IMl 133 EH El SI]- Modal specifications 
are deterministic automata equipped with transitions of two types: may and must. The 
components that implement such interfaces are deterministic automata; an alternative 
language-based semantics can therefore be considered, as presented in [361 EZ] • Informally, 
a must-transition is available in every component that implements the modal specification, 
while a may-transition need not be. Modal specifications are interpreted as logical speci- 
fications matching the conjunctive //-calculus fragment of the /i-calculus [IT]. In order to 
abstract from a particular implementation, a entire theory of modal specifications has been 
developed, which relies on a refinement preorder, known as modal refinement. However, 
although its definition is close to our definition of refinement, the two notions are incompa- 
rable: there is no way to interpret may and must as different agents (agent a and another 
agent b a have clearly independent roles in the semantics of a-refinement), because must 
is a subtype of may. 
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4 Refinement modal logic 



In this section we present the refinement modal logic, wherein we add a modal operator 
that we call a refinement quantifier to the language of multi-agent modal logic, or to 
the language of the modal /i-calculus. From prior publications [l5l US] refinement modal 
logic is known as 'future event logic'. In that interpretation different operators stand for 
different epistemic operators (each describing what an agent knows), and refinement modal 
logic is then able express what informative events are consistent with a given information 
state. However, here we take a more general stance. 

We list some relevant validities and semantic properties, and also relate the logic to 
well-known logical frameworks such as bisimulation quantified modal logic (by way of 
relativization), and dynamic epistemic logics. 

4.1 Syntax and semantics of refinement modal logic 

The syntax and the semantics of future event logic are as follows. 

Definition 12 (Languages jC\/ and C^) Given a finite set of agents A and a countable 
set of propositional atoms P, the language Cy of refinement modal logic is inductively 
defined as 

(p :■= p \ ^ip \ {if A Lp) \ UaV I VaV^ 

where a & A and p G P. Similarly, the language £y of refinement fi-calculus has an extra 
inductive clause ^x.(f, where X is the set of variables and x G X. 

V? ::= X I p I I (v? A v?) I Ua'^ \ ^af \ fJ'X.f -\ 

We write 3aip for -iVa-Ky?. For a subset {ai, . . . , a^} = B C A of agents we introduce the 
abbreviation S^i/? for 3^^ . . . S^^yj (in any order), where we write 3ip for 3^(y9, and similarly 
for \/b and V. (So in the single-agent version we are also entitled to write V and 3.) 

Note the two differences between bisimulation quantifiers Vp and the refinement quan- 
tifier V. The former we write with a 'tilde'-symbol over the quantifier. The latter (and 
also Va) has no variable. A refinement quantifier can be seen as implicitly quantifying 
over a variable, namely over a variable that does not occur in the formula (p that it binds 
(nor should it occur in a formula of which 3(p is a subformula). Section [4.31 will relate 
bisimulation quantification to the refinement operator. 

Definition 13 (Semantics of refinement) Assume an epistemic model M = {S,R,V). 

Ms 1= \/aV iff for all M'^, : M, M'^, implies M'^, \= (p 

The set of validities of Cy is the logic RML (refinement modal logic^ and the set of validities 
of is the logic RML'^ (refinement /i-calculusjQ H 

^As is usual in the area, we will continue to use the term 'logic' in a general sense, beyond that of a set 
of validities. 
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In other words, \/a^ is true in a pointed model iff is true in all its a-refinements. Typical 
model operations that produce an a-refinement are: blowing up the model (to a bisimilar 
model) such as adding copies that are indistinguishable from the current model and one 
another, and removing pairs of the accessibility relation for the agent a (or, alternatively 
worded: removing states accessible only by agent a). In the final part of this section we 
relate these semantics to the well-known frameworks action model logic and bisimulation 
quantified logic (and see also |15]). 

Proposition 14 (Bisimulation invariance) Refinement modal logic and refinement /i- 
calculus are bisimulation invariant. H 

Proof Bisimulation invariance is the following property: given Mg ~ A^^ and a formula 
then Ms |= if iff Nt |= ^p. If the logic has operators beyond the standard modalities Da, 
this property does not automatically follow from bisimilarity. 

For refinement modal logic bisimulation invariance is straightforward, noting that Ua 
is bisimulation invariant, and that fix is bisimulation invariant. The new operator Va is 
bisimulation invariant, because a-refinement is transitive and bisimulation is just a specific 
type of a-refinement. Formally, let Mg — Nt, and Ms \= ^af, we have to prove that 
Nt 1= VaV9. Let Ou be arbitrary such that Nt Ou- From Ms ^ Nt follows Ms Nt. 
From Ms Nt and Nt Ou follows by Proposition [2] that Ms Ou- From Mg \= VaV? 
and Ms Ou follows Ou \= ^- As Ou was arbitrary, we therefore conclude Nt |= VaV?. 
The reverse direction is symmetric. □ 

The following result justifies our notation 3^ for sets of agents. 
Proposition 15 For all agents a,b, \= zia^f,Lp -H- zih^a^p. H 

Proof Let Ms be given and let Mt and M„ be such that Ms ha Mt and Mt hb Mu- We 
have that M,(^„ o ^fc)M„ iff M, "^{a^h} Mu iff Ms{hh o ha)Mu. (See Proposition [31) □ 

Proposition 16 The following are validities o/RML. 

• VaV? — )■ if (reflexivity) 

• VaV9 — > VaVaV9 (transitivity) 

• 3aVa(y9 — )■ WaBa'P ( Church-Rosser) 

Proof The first three items directly follow from Proposition O The trivial refinement is 
an a-refinement; composition of two refinements is a refinement; and indeed it satisfies the 
Church-Rosser property. 
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For the fourth, from left to right: let Ms be such that Ms \= ^a^aV, and let M^, and 
t' G s'R'^ be such that Ms M'^,, M'^, \= Oaf, and M^, |= ip. Because of back, there is a 
t G sRa such that Mt Mj.,. Therefore Mt \= ^a^p and thus Ms \= Oa^a'f- 

From right to left: let Ms be such that Mg \= Oa^a'f, and let t G sRa and M/, be such 
that Mt \= 3a(p and M^, \= ip. Consider the model with point s that is the disjoint 
union of M and M' except that: all outgoing a- arrows from s in M are removed (all pairs 
{s,t) G Ra), a new a-arrow links s to t' in M' (add {s,t') to the new Ra). Then A^^ is an 
a-refinement of Mg that, obviously, satisfies Oa(p, so Ms satisfies ^aOa^p- (This construction 
is typical for refinement modal logic semantics. It will reappear in various more complex 
forms later, e.g., in the soundness proof of the axiomatization RML.) □ 

The semantics of refinement modal logic is with respect to the class /C of all models 
(for a given set of agents and atoms). If we restrict the semantics to a specific model class 
only, we get a very different logic. For example 3n± is a validity in RML: just remove all 
access. But in refinement epistemic logic, interpreted on S5 models, this is not a validity: 
seriality of models must be preserved in every refinement. See |46l |23] . 



4.2 Examples 



Change of knowledge Given are two agents that are uncertain about the value of a fact 
p, and where this is common knowledge, and where p is true. Both accessibility relations 
are equivalence relations, so the epistemic operators model the agents' knowledge. An 
informative event is possible after which a knows that p but b does not know that; this is 
expressed by (where 3 is ^{a,b}) 

In Figure El the initial state of information is on the left, and its refinement validating 
the postcondition is on the right. In the visualization the actual states are underlined. If 
states are accessible for both a and b we have labelled the (single) arrow with ab. 




ab 1 



ab 





Figure 2: An example of refinement as change of knowledge 



On the left, the formula ^{OaP /^^nbDaP) is true, because DaP /^^nbDaP is true on the 
right. On the right, in the actual state there is no alternative for agent a (only the actual 
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state itself is considered possible by a), so UaP is true, whereas agent b also considers 
another state possible, wherein agent a considers it possible that p is false. Therefore, 
"■□ftDaP is also true in the actual state on the right. 

The model on the right in the figure is neither an a- refinement of the model on the left, 
nor a 6-refinement of it, but an {a, 6}-refinement. 

Recalling Section 13.41 on action models, a refinement of a pointed model can also be 
obtained by executing an epistemic action (Proposition [TTj) . Therefore, we should be able 
to see the refinement in this example as produced by an epistemic action. This is indeed the 
case. The epistemic action consists of two action points t and p, they can be distinguished 
by agent a but not by agent b. What really happens is p; it has precondition p. Agent b 
cannot distinguish this from t with precondition T. 

The execution of this action is depicted in Figure [31 The point of the structure is the 
one with precondition p: in fact, a is learning that p, but b is uncertain between that action 
and the 'trivial' action wherein nothing is learnt. The trivial action has precondition T. It 
can be executed in both states of the initial model. The actual action can only be executed 
in the state where p is true. Therefore, the resulting structure is the refinement with three 
states. 




Figure 3: The refinement in Example 14.21 



Action models can also be added as primitives to the multi-agent modal logical language 
and are then interpreted with a dynamic modal operator — similar to automata-PDL. To 
get a well-defined logical language the set of action model frames needs to be enumerable 
and therefore such action models must be finite. Thus we get action model logic. We now 
recall the result in Proposition [11] that on finite models every refinement corresponds to 
the execution of an action model and vice versa (where the action model constructed from 
a given refinement may be infinite), but that it is unknown if that finiteness restriction can 
be lifted. If that result can be generalized, that would be of interest, as that would suggest 
that refinement modal logic is equally expressive as action model logic with quantification 
over action models. If these logics were equally expressive, action model logic with quan- 
tification would be decidable — a surprising fact, given that public announcement logic with 
quantification over public announcements (singleton action models) is undecidable [T9] . 
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Software verification and design Consider a class of discrete-event systems, whose 
elements represent devices that interact with an environement. Each device is described 
by means of actions c and u, respectively called 'controllable' and 'uncontrollable' actions. 
Given an expected property described by some formula say in C^, we use refinement 
quantifiers to express several classic verification/synthesis problems. 

The the control problem [IQ], know as the question "is there a way to control actions c 
of the system S so that property ip is guaranteed?" , can be expressed in Cy by wondering 
whether 

S 1= 3cip . 

The module checking problem [27] is the problem of determining whether an open system 
satisfies a given property. In other words, whether the property holds when the system is 
composed with an arbitrary environment. Let us say that action c is internal, while action 
u comes from the environment. We answer positively to the module checking problem iff 
5* 1= V„(/9. As arbitrary environments are too permissive, we may force hypotheses such as 
restricting to non-blocking environements. By 'guarding' the universal quantification over 
all M-refinements (i.e. all environements) with the NonBlocking assumption, the statement 
becomes 

S \= V„ (NonBlocking =^ if) 

where NonBlocking is easily expressible in as = vx.OyT A nx. 

The generalized control problem is the combination of the two previous problems, by 
questioning the existence of a control such that the controlled system satisfies the property 
in all possible environments. This is expressed by wondering whether 

S \= 3cV„ (NonBlocking ^ y?) . 

A last example is borrowed from protocol synthesis problems. Consider a specification, 
MUTEX, of a mutual exclusion protocol involving processes 1, 2, . . . fc, and some property 
specified in C^. Now we may ask if we can find a refinement of MUTEX that satisfies (p but 
also such that if process i is in the critical section (csj) at time n + 1, then this is known 
at time n. This is expressed as 

MUTEX 1= 3[AG(OcSi =^ ucSi) A ip] 

where AG is the CTL-modality, which rewrites in £^ as AG(V^) = vx.ip A nx and meaning 
that this is true at any time. The refinement consists in moving the nondeterministic 
choices forward, so that a fork at time n becomes a fork at time n — 1 with each branch 
having a single successor at time n, as depicted in Figure |H 

4.3 Refinement quantification is bisimulation quantification plus 
relativization 

In Section lX^ we presented a semantic perspective of refinement as bisimulation followed by 
model restriction, or, alternatively and equivalently, as a restricted bisimulation, namely 
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Figure 4: The refinement of MUTEX. 



except for some propositional variable, followed by a model restriction to that variable. 
We now lift this result to a corresponding syntactic, logical, perspective of the refinement 
quantifier as a bisimulation quantifier followed by relativization. 

More precisely, in this section we will show that a refinement formula S^yj is equivalent 
to a bisimulation quantification over a variable not occurring in ip, followed by a (non- 
standard) relativization for that agent to that variable, for which we write 3qLp^"''''^ (to be 
defined shortly). For refinement >z for the set of all agents (recall that we write >z for 
and 3 for 3a) we can expand this perspective to even more familiar ground: a refinement 
formula 3^9 is equivalent to a bisimulation quantification over a variable not in ip followed 
by (standard) relativization to that variable: 3qip'^. These results immediately clarify in 
what sense the refinement modality constitutes 'implicit' quantification, namely over a 
variable not occurring in the formula bound by it. 

For the syntactic correspondence we first introduce the notion of relativization (for 
settings in modal logic, see [SI EI])- We propose a non-standard definition of relativization 
— non-standard in two ways. Firstly, it is relativization not merely to a propositional 
variable but also to an agent. This variation is inessential, but it matches our framework 
and purposes, and the standard definition is then a special case. Secondly, the relativization 
is arrow-eliminating and not state-eliminating (it is not mere domain restriction). This 
simplifies our approach, as the relativization need only be done in accessible states but 
not in the actual state (e.g., the relativization to p of another variable q is that same 
variable and not p Aq). That variation is similar to the (also inessential) difference, in the 
area of dynamic epistemic logic, between state eliminating public announcement and arrow 
eliminating public announcement. Given our purpose to translate refinement modal logic 
into bisimulation quantified modal logic, we also expand the definition of relativization to 
include quantifiers. This definition will also be used in Section Ei 

Definition 17 (Relativization) Relativization to propositional variable p for agent a G 
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A is defined as follows. 

qM ^ q 

= □bV'^"'^^ for hi- a 

(Vp</9)("'P) = Vg99[g\p] where q does not occur in </? 

(Vg(^)Kp) ^ Vg(/?("'f) forqip H 

We now have the obvious 

Lemma 18 Given model Mg with accessibility function R and R'^ C i?^ such that: if 
{t,t') e < then Mf |= p. Then Ms \= v^^^'^^ if and only if Ms\R'a |= ^. H 

Proof The proof is by induction on the structure of ip. 

• Ms 1= q^'^'P^ ^ 

Ms \= q propositional variables do not change value 

Ms\K h q 

• Ms 1= ^ 

M, 1= ^(^("'P) ^ 

M, ^ <^ I.H. 

Ms\R'^^<p^ 

Ms\K h 

• Ms^ {ipA^'^'P^ ^ 

Ms 1= v?^"'^) A V"^"'^^ ^ 

M, 1= and M, ^ ^^"'^^ ^ I-H. 

M,|K h y5 and M,|i?;, h ^ 

• Ms \= (□a<^)("'P) ^ 

Ms h ^ <^^"'^^) ^ 

for all te Ra-. Mt^p^ <^ 

for aRteRa-. Mt^p implies ^ ^ I.H. 

for all t e Ra'- Mt \= p implies Mt\R'^\^ (p <^ t e sRa and t \^ p iS t e sR'^ 
for alH e < : Mt|i?; H 

• M, 1= ^ 

M, 1= □fev?^"'^) ^ 

for all t e i?6 : ^ (^("'P) ^ I.H. 

for all t e i?6 (in Mj) : Mt|i?[, |= (/? <^ in M equals si?^ in M\R'^ 

for all t G i?6 (in Mji?;) : Mt|i?; ^ <^ 
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Ms 1= Vg(^('^'P) ^ 

for all iVj ~« M3 : iVt h ^^"'''^ ^ I-H. 
for all Nt ~9 M, : iVt|i?;, h ^ ^ (*) 
for all N[, ~« M,|i?; : iV;, h <^ ^ 

(*): The equivalence holds, because the bisimulation variation outside the Ms\R'a 
part of Ms does not affect the truth of a formula only evaluated on Ms\R'a- In other 
words, for all Nt there is a N[, such that Nt\R'a — N[, and also, for all N[, there is a 
Nt that 'expands' N'^r. such that, again, Nt\R'a — Nj.,. 

• The other clause for the universal quantifier starts with a renaming operation, and 
then proceeds as in the previous clause. 

□ 

Agent relativization relates as expected to the standard notion of relativization (to the 
set of all agents simultaneously). This is because relativization to different variables for 
different agents is commutative. 

Lemma 19 Let (f e £9. Then = [^(^,1))^ _ ^ 

Proof By induction on the structure of cp. The non-trivial cases are Da^p, □b'/? (follows 
dually), Vp</7, and \/q(f (also follows dually). Note that (a, p)-relativization distributes over 
implication. 

• ((□„(^)(°'P))(^''?) ^ 

□ ^ (^(a,p)^(M) ^ 

□a(p-> (^(^'9))("'P)) ^ 

((□„</?) ^^'*^)^"'P^ 

• ( (Vp(^)("'^') )('''") 44> 
(Vr99[r\p]("'P))(^'«) <^ 
yr(v9[r\p]("'P))(^'«) ^ 
Vr(v9[r\p](^'''))("'P) ^ 
Vr((p(f'.9)[r\p])('^'P) ^ 

((Vp(^) )(«'f) <^ 



□ 



I.H., and clause for variables 



choose r 7^ g (or else, yet another step) 
I.H. 

substitution of other variables than q 
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Given Lemma [19], we may view a sequence of relativizations (. . . ((/j^^^'^)) . . .('^"'P)) as a rel- 
ativization (pii°-i-'---''^"}'P) to the set of agents {oi, . . . , a„}, and a sequence of relativizations 
(. . . ((f^°''^'P'^^) . . .(""'Pi)) as a relativization (p(i°-i- •'i) for some variable q; where it is im- 
portant to observe that q is typically not a truth function of pi, . . . ,pn (so, in particular, 
typically not the conjunction pi A . . . Apn)- Therefore for cp^^'^^ we can write (f^: the usual 
relativization for all agents simultaneously. Almost usual: we have tied relativization to 
the semantic process of arrow elimination (or, from a tree unwinding perspective: pruning), 
whereas standard relativization is typically model restriction that is state elimination. If 
the models satisfy seriality, there is no difference. If the actual state satisfies the relativiza- 
tion atom, there is also no difference. In a related area, dynamic epistemic logic, the two 
options represent the familiar alternative semantics for the public truthful announcement 
of p: state elimination [351 E] versus arrow elimination [20| [26] . 

To make the syntactic correspondence we now introduce a translation t : Cy ^ C^. 

Definition 20 By induction on ip E C\/. All clauses except "^a^^ are trivial. 

t(p) = p 

t{^(p) = ^t{(p) 
t{LpAtjj) = t{ip)At{tp) 

t{na^) = □at(<^) 

ti^a'-p) = Vp t(y9)("'P) where p does not occur in Lp -\ 



Example 21 

t(\3,r) = 3p t(3br)('^'f) 

3p{3p t(r)(^'P))("'P) = 3p(3p r^'^'P^Y'^'P) = 

3p{3p rY"''P^ = 3p3q r^"''^) = 3p3q r -\ 

From Lemma [18] and Definition [20] we now immediately get 

Proposition 22 Let ip G C\j. Then (p is equivalent to t{p)). H 

We allow ourselves a slight abus de langage here: given any M<,, the value of (p in the 
semantics for refinement modal logic is equivalent to the value of t{(p) in that model, in the 
semantics for bisimulation quantified modal logic. From Proposition [22] follows, to have 
the characteristic aspect of the translation stand out: 

Corollary 23 Consider 3p> with ip E C (i.e., 3-free). Then 

• a-refinement is bisimulation quantification plus a-relativization: 
3aip is equivalent to 3p(p^"''P\- 

• refinement is bisimulation quantification plus relativization: 

3ip is equivalent to 3p(pP. H 

In the logic of public announcements, the latter is written as: 3(p is equivalent to 3p{p\)(p. 
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4.4 Alternating refinement relations 

Alternating transition systems (ATS) were introduced [4J to model multiagent systems, 
where in each move of the game between the agents of an ATS, the choice of an agent at a 
state is a set of states and the successor state is determined by considering the intersection 
of the choices made by all agents. A notion of a-alternating refinement was introduced to 
reflect a refined behavior of agent a while keeping intact the behavior of the others. When 
restricting to turn-based ATS where only one agent plays at a time (concurrent moves are 
also allowed in the full setting), a-alternating refinement amounts to require 'forth' for all 
b E A \ {a} as we do, but 'back' just for agent a. As a consequence, an a-refinement is a 
particular a-alternating refinement. A logical characterization of a-alternating refinement 
has been proposed (it essentially relies on the modality 3^ combined with the linear time 
temporal logic LTL) in the sense that if an ATS S' a-refines an ATS S, every formula 
true in S' is also true in S. Notice however that the operator 3^ has a more restricted 
semantics than the one we propose, since the quantification does not range over all possible 
refinements of the structure but only over refinements obtained by pruning the unraveling 
of the ATS. Soon after, the more general setting of alternating-time temporal logics [21 [3] 
considered universal and existential quantifications over a-refinements, for arbitrary a, 
combined with LTL formulas. It is worthwhile noticing that the quantifiers still range 
over particular refinements, and always in the original structure. As a consequence, the 
language cannot express the ability to nest refinements for different agents. This is easily 
done in our language C\/, as the formula 3a{nbP A Oai^bOaP)) examplifies. This formula 
tells us that one of the choices that a can make, results in b knowing p and a contemplating 
a subsequent choice by b that makes her to get to know p as well. 

5 Axiomatization RML 

Here we present the axiomatization RML for the logic RML. We show the axioms and 
rules to be sound, we give example derivations, and this is followed by the completeness 
proof. 

The axiomatization presented is a substitution schema, since the substitution rule is 
not valid. The substitution rule says that: if is a theorem, and p occurs in ip, and is 
any formula, then (p[ilj\p] is a theorem. Note that for all atomic propositions p, p ^\/p is 
valid, but the same is not true for an arbitrary formula, e.g. O^T — )• VO^T is not valid, 
because after the maximal refinement there is no accessible state, so that O^T is then false 
even if it was true before. The logic RML is therefore not a normal modal logic. 

Definition 24 (Axiomatization RML) The axiomatization RML consists of all sub- 
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stitution instances of the axioms 

Prop All tautologies of propositional logic 

K OaiV ^ ^) ^ DaV^ Da^ 

RProp WaP ^ p and Wa^p ^ ~^p 

RK 3,Va$^AO,3a$ 

RKmulti 3aVb$ ^ Vfe3a$ where a^b 

RKconj 3„ Afces V^^'' ^ A^eB 3„V6$^ 

and the rules 

MP From ip ^ ip and if infer ip 
NecK From (f infer \ja^ 
NecR From ip infer Va^^ 

where a,b & A, p E P , and B C A. If ip is derivable, we write h (p, and ip is called a 
theorem, as usual. The well-known axiomatization K for the logic K consists of the axioms 
Prop, K, and the rules MP and NecK. H 

In the definition, given $ = {ipi, . . . ,ipn}, note that 3aVa$ -H" A^a^a^ stands for 
3(1 Va$ ^ A(^G<i> ^a^aV' (^^^ technical prehminaries) and so for 3aVa{v5i, • • • , v^n} 
Oa^aVi A ... A Oa3aV9„. The axiomatization RML is surprisingly simple given the com- 
plexity of the semantic definition of the refinement operator V; and given the well-known 
complexity of axiomatizations for logics involving bisimulation quantifiers instead of this 
single refinement quantifier. We note that while refinement is refiexive, transitive and sat- 
isfies the Church- Rosser property (Proposition O and Proposition [T6l) . the corresponding 
modal axioms are not required. These properties are schematically derivable. First, we 
demonstrate soundness of RML. 

Given the definitions of □ and O in terms of cover, it may be instructive to 
see how the RK axiom works as a reduction principle for 3\Jp> and 30p> — note 
that we need both, as there is no principle for 3-ip>. For simplicity we do not 
label the operators with agents. We get: 

3np> ^ 3(V{^}VV0) 
^ 3V{v^}V3V0 
^ 3V{(/)}V3n_L 
^ T 

and 

30ip ^ 3V{<p,T} 

^ 03(/3A03T 
^ 03(p 

One may wonder why we did not choose 3nip o T and 30ip ^ O^ip (we recall 
Proposition [TS\) as primitives in the axiomatization, as, after all, these are very 
simple axioms. They are of course valid, but the axiomatization would not be 
complete. The axiom RK is much more powerful, as this not merely allows 
$ = {ip}, $ = 0, and $ = {(/?, T}, but any finite set of formulas. 
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5.1 Soundness 



Theorem 25 The axiomatization RML is sound for RML. H 

Proof As all models of Cy are models of C, the schemas Prop, K and the rule MP and 
NecK are all sound. We deal with the remaining schemas and rules below. 

R 

Suppose that Mg is a model such that Ms \= Va((y9 — j- ip), and Mg \= Wa^p- Then for 
every A^^^, where Nt Mg, we have A^^^ \= ip ^ ip, and also Nf \= ip. From Nf \= ^ 
and Nf \= ip follows A^ |= tp. As A^ was arbitrary model such that A^t Mg, from that 
and Nt \= ip follows Mg \= Wa'ip- 

RProp 

Let Mg and Nt be given such that A^t :<a Mg. By Definition [1] for the semantics of 
refinement, we have that s G V^{p) if and only if t G {p). Therefore Mg |= p iff At |= p, 
for every Mg and Nt with Nt Mg. Therefore Mg |= p iff Mg \= \faP for every Mg, i.e. 
\= p ^ 'iaP- Similarly, for \= ^p ^a^P, using that s ^ V^'^ (p) if and only if t ^ V'^{p). 

RK 

Suppose Mg is a model, where M = {S, R, V), such that for some set <l>, Mg \= /\ Oa3„$. 
Therefore, for every G $ there is some G sRa such that Mtv \= ^a'P- Thus, for each 
G $, there is some model N^^ ^„ Mt^, where A^"^ = {S'p, R^,^^), such that N^^ \= (p. 
Without loss of generality, we may assume that for all y?, y?' G $ the models A^*^ and A^*^ 
are disjoint. 

We construct the model M* = (S"^, i?*, V^*) such that: 

Rt = {{s',u^) I ^G uu^,^i?r 

Rf = {(At) \ {s,t) e Rk}URtU[J^^^Rt ioTb^a 
V^ip) = {s'}UVip)un^^V'^ip) ioipeP 



where {s'} = {s'} if s G V{p) and else {s'} = 0. 

We can see that Mg ha Mf,, via the relation 7^* = {(s, s')} U X U U^e$ where X 
is the identity on 5* and each 71^ is the refinement relation corresponding to MfP N"^^ 
(see also [22] )• Furthermore, for each t G s'i?* it is clear that Mf ~ N'^y, for some ip, and 
thus Mf 1= (yj, and so Mf \= V $. Therefore Mf, \= □„ V $. Finally, for each G $ there 
is some u'^ G s'i?* where Mf^ |= yj, so for each G $ we have M* |= O^v?, so we have 
M,^ 1= t\Oa^- Combined, Mf ^ \/$ and Mf ^ A Oa"^ state that Mf ^ Va$, and 
therefore Mg \= 3aVa$. 

Conversely, suppose that Mg \= 3aVa$. Therefore, there is a model Aj such 
that A^t 1= Va$ — where A^ = (5**, i?*, ^*). Expanding the definition, we have that for 
every G $ there is some u G t-R* such that A^^ |= ip. Also, because of back, for every 
such u G t-R* there is some v G si?a such that A^^ M^. Combining these statements 
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we have that for every G $ there is some v G sRa such that \= ^af, and thus 
RKmulti 

The direction Vfe3a$ 3aVfe$ is proved as in the case RK. Note that our assumption 
is now even stronger, as Vb^a^ entails /\ Ob^a^- 

Conversely, suppose that Mg \= 3aV;,$. Therefore, there is a model Mg such 

that Mj. \= Vf,$ — let the accessibility relation for agent b in M' be R[. Expanding the 
definition, we have that for every <y9 G $ there is some u G t-R^ such that |= (p. Also, 
because of back, for every such u G tR'f^ there is some v G sRb such that My. 
Combining these statements we have that for every G $ there is some v G sR^ such 
that My 1= 3a(y9, and thus Mg \= /\ Ob^a^- However, as forth also holds for agent b, the 
V G sRb we could construct above are also all the states v accessible from s. Therefore we 
also have Mg |= V ^a^, so together we get Mg \=Vb^a^- 

RKconj 

The direction 3^ Afegs ^b^^ — ^ A^gb 3aVb$^ is merely a more complex form of pattern 
3a Alp) ^ (3aV^ A 30?/^) which is derivable similar to Oa{f A ip) =^ Oa^p A Oaip in the 
modal logic K, using the axiom R in place of K. 

For the other direction, suppose that Mg is such that Mg \= Abes V;,$^, where B C A. 
We need to show that Mg \= 3^ Abes To do this we follow the same strategy as for 

proving RK: we construct an a-refinement A^^^ of Mg, and show that Nt \= Abes ^f**^^- 

We begin by constructing the model A^^. Suppose that a & B. Then we have Mg \= 
3a Va^'*, and by RK this implies that Mg |= /\Oa3a$". We also have that for every 
b e B - {a}, Mg \= 3aV6$^ and by RComm this implies that Mg |= Vb3a$'', and by the 
definition of the cover operator, this implies that Mg \= /\ Ob^a^^. Hence for every b E B 
and if G we have that Ob3aV?- (In other words, for some big set of formulas \l/ we have 
that Mg \= /\Ob3a\l/.) At this stage it suffices to refer to the very similar construction in 
the soundness proof for axiom RK, from which similarly to there follows A^ |= Abes Vb$^. 

NecR 

If is a validity, then it is satisfied by every model, so for any model Mg, ip is satisfied 
by every model A^t ^a Mg, and hence every model Mg satisfies Va^?. □ 

The soundness of axiom RK is visualized in Figure [51 It depicts the interaction between 
refinement and modality involved in this axiom 3aVa$ A '^a^a^, for the case that $ = 
{ipi,ip2,(p3}. The single lines are modal accessibility, and the double lines the refinement 
relations. The solid lines are given, and the dashed lines are required. Accessibility relations 
for other agents than a are omitted. The picture on the left depicts the implication from 
left to right in the axiom, and the picture on the right depicts the implication from right 
to left. Note that the states satisfying and ip^ have the same origin u in M — the typical 
sort of duplication (resulting in non-bisimilar states) allowed when having back but not 
forth. Apart from u and t, state s in M has yet another accessible state v, that does not 
occur in the refinement relation: the other typical sort of thing when having back but not 
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Figure 5: The interaction between refinement and modality involved in axiom RK. 

forth. Therefore, on the right side of the equivalence in axiom RK we only have /\ O^^a^ 
and we cannot guarantee that \/ 3^$ also follows from the left-hand side. 

The axiom RKmulti, defined as 3aV;,$ ^ V;,3a$ for a ^ b, says that refinement 
with respect to one agent does not interact with the modalities (the uncertainty, say) for 
another agent: the operators Vb and 3^ simply commute. This in contrast the axiom RK 
where on the right-hand side a construct na\/^a^ is 'missing', so to speak. If it had 
been Da V ^ A ^a^a^, then we would have had Va3a$, as in RK. The difference 
between RK and RKmulti is because in the former there is no forth requirement for a 
in refinement: given some refinement wherein we have a cover of $, so that at least one of 
$ is necessary (the 3aVa$ bit), for each of the covered states we can trace an origin before 
the refinement, because of back. But there may be more originally accessible states, so 
whatever holds in those origins, although it is all possible, is not necessary. So we have 
/\ Oa3a$, but we do not have □„ \/ 3^$. In contrast, when the agents are different, back 
and forth must hold for agent 6 in a refinement witnessing the operator 3^: for an 
a-refinement, back and forth must hold for all agents b ^ a. Figure [6] should further 
clarify the issue — compare this to Figure |5l The main difference between the figures is 
that there cannot now be yet another state v accessible from s but not 'covered' as the 
origin of one of the refined states. In Figure [5] what holds in t and u is not necessary for 
a, but in Figure E] what holds in t and u is necessary for b. 

5.2 Example derivations 

Example 26 h O^T 3a(n„p V Da^p) H 

In an epistemic setting, where HaP means that the agent knows p, and where (in 55 models) 
the condition O^T is always satisfied, this validity expresses that the agent can always find 
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Figure 6: The interaction between refinement and modality involved in axiom RKmulti. 

out the truth about p: if true, announce p (and announcement is a model restriction, 
and therefore a refinement), after which p is known, and if false, announce that p is false, 
after which p is known to be false. This validity is indeed also a theorem of RML. For 
that, it is more convenient to keep the cover representation. We note that UaP is in cover 
notation V a{p} V V Jb- The requirement <>aJ or seriality (of consistent belief) rules out 
the alternative Va0. It therefore suffices to derive O^T — )■ 3a(Va{p} V V a{~'P})- In some 
cases several deductions have been combined into single statements, but this is restricted 
to cases of well-known modal theorems. 

h O^T ^ Oa{p V -^p) Prop, NecK, K 

^ ^a(P V -ip) ^ (OaP V Ofl-ip) Prop, NecK, K 

^ ^aV ~^ 3aVa{p} See below 

h <>a~^'P 3aVa{~ip} See below 

H ^aUaP ^ 3,(Va{p} V V a{^p}) Prop, NecR, R 

^ ^aUa^P M^a{p} V V a{^p}) Prop, NecR, R 

h 0„T ^ 3,(Va{p} V Va{-p}) Prop, MP 

Lines 3 and 4 of the derivation require the following deduction, which is true for all propo- 
sitional formulas (p: 

h y9 ^ 3ay9 RProp 

h O^ip o Oa^aV Prop, NecK, K 

h OaV <^ 3,V4<^} RK[$ = {if}] 

Example 27 h {OaP A ObP A Oa^P A O^^p) MOaP A -^ObP) H 

Consider the informative development described in Example 14.21 given an initial infor- 
mation state wherein agents a and b consider either value of p possible, a can be informed 
such that afterwards a believes that p but not b. The above formalizes that. (A small dif- 
ference is that the following says that a is informed privately, it has 3^ only; in Example 14.21 
we needed a 3 operator, that is, a stack 3a3f,.) 
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Let V9 be {OaP A OhP A Oa^P A Ob^p). In the following we also use 'substitution of 
equivalents', see Lemma |3T1 



h V9 OaP A Ob^p 
^ip-^OaPA Vfe{-P, T} 

h V3 Oa^^P A Vb{-'-'-'P, ^^T} 

h ^ Oa^aP A V6{3a^p, 3„T} 
h -> 3aVa{p} A Vb{3„^p, 3„T} 

h (/^ ^ 3,V,M A 3,Vfe{-p, T} 

h(/^^3,(VaMAVb{-p,T}) 
\- Lp 3ainaP /\ Ob^P) 
h -)■ 3a(naP A -^DbP) 



Prop 

Definition of V 

Prop 

RProp 

Definition of 3 
RK 

RKmulti 
RKconj 

Definition of V 
Definition of O 



5.3 Completeness 

Completeness is shown by a fairly but not altogether straightforward reduction argument: 
every formula in refinement modal logic is equivalent to a formula in modal logic. So it 
is a theorem, if its modal logical equivalent is a theorem. In the axiomatization RML 
we can observe that all axioms involving refinement operators 3 are equivalences, except 
for R; however, 3a((^ V -H- 3a(p V 3aip is a derivable theorem. This means that by so- 
called 'rewriting' we can push the 3 operators further inward into a formula, until we reach 
some expression 3(f where (f contains no refinement operators. Now we come to the less 
straightforward part. Because there is a hitch: there is no general way to push a 3 beyond 
a negation (or, for that matter, beyond a conjunction). For that, we use another trick, 
namely that all modal logical formulas are equivalent to formulas in the cover logic syntax, 
and that all those are equivalent to formulas in disjunctive form (see the introduction) 
in cover logic. Using that, once we reached some innermost 3(f where ip contains no 
refinement operators, we can continue pushing that refinement operator downward until it 
binds a propositional formula only, and disappears in smoke because of the RProp axiom. 
Then, iterate this. All 3 operators have disappeared in smoke. We have a formula in modal 
logic. 

For a smooth argument we first give some general semantic and proof theoretic results, 
after which we apply the reduction argument and demonstrate completeness. 

Proposition 28 



Proof Item 1. can be easily derived from R, NecR and MP, similarly to the way that 
in modal logic we derive \- D{(p A ip) ^ Dip A Hip- The other derivations are similar. □ 



1. h Va(y5 A^) i^Wa^AWalp 



2. h 3,((^ V ^A) o 3,v? V 3aiJ 



3. h 3a(<^ Alp) ^ A 3aiJ 
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Proposition 29 

1. h \/af ^ f for all propositional (p. 

2. h 3aip (p for all propositional (f. 

3. I~ (v^ A ^ai^) ^ A ip) for all propositional ip (and any ip E C\/). H 

Proof Item 1.: From axiom RProp that V^p ^ p and Vq-ij) o -^p we can immediately 
get p f-T- 3aP and -^p ^ ^a^P (reverse the implications). Now, use induction on the 
(propositional) structure of ip, using axiom RProp including the diamond version above, 
axiom Prop for all propositional equivalences, and — if we please ourselves with inductive 
cases negation and conjunction, the theorem h \/a{p A ip) -H- WaP A Wa'ip (Proposition |28|) . 
Item 2. is similar to Item 1. For Item 3., Proposition [28] demonstrated that ^aif A ■?/') — )■ 
3aP> A 3aip from which, using Item 2., also follows p> A ^aip. For the other direction we first 
derive (WaP^ A ^a'ip) ^ ^a{p> A V^) by propositional means and applications of Nec and R, 
and then use that VaV? ^ P> (Item 1.). □ 

Definition 30 (Substitution of equivalents) An axiomatization satisfies substitution 
of equivalents if the following holds. Let pi,p2,V3 be formulas in the logical language. If 
Pi is equivalent to p2 o-nd pi is a subformula of p^, and p^ is a theorem, then p3[p2\pi] 
is also a theorem. H 

Proposition 31 The axiomatization RML satisfies substitution of equivalents. H 

Proof This can be shown by induction on p^. For the cases DaP and VaP, note that if 
HaP is a theorem, then p was already a theorem (and IH.), and that is is a theorem, 
p also was already a theorem (and IH.). □ 

We now first show that every £v formula is logically equivalent to a £ formula. We 
then show that if the latter is a theorem in K, the former is a theorem in RML. 

Proposition 32 Every formula of Cy is logically equivalent to a formula of C H 

Proof Given a formula ip G £v; we prove by induction on the number of the occurrences 
of 3a in ip (for any a E A) that it is equivalent to an 3a-free formula, and therefore to a 
formula p E C, the standard modal logic. The base is trivial. Now assume ip contains 
n + 1 occurrences of S^-operators for some a E A (so these may be refinement operators 
for different agents). Choose a subformula of type 3aP of our given formula ip, where p 
is 3i,-free for any b E A (i.e. choose an innermost 3^). Let p' be a disjunctive formula 
that is equivalent to p. We prove by induction on the structure of p' that 3ap' is logically 
equivalent to a formula x without 3^. There are two cases: 

• ^aipVij); 
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• 3a(v^o A Afces ^6*^^) where is prepositional, B C A, and each a set of djh. 

In the first case, apply Proposition [2Hl2., we get 3a(p V ^a'ip, and then apply induction. 
In the second case, if S = we use that ^afo V^o (Proposition [29l2). If S 7^ 0, then 
from Proposition |29l 3. follows that this is equivalent to ipo A 3^ Abes ^b^^, and we further 
reduce the right conjunct with one of the axioms RK (if B = {a}), RKmulti (if B = {b} 
with 6 7^ a), or RKconj (if \B\ > 1), and apply induction again. 

Thus we are able to push the refinement operators deeper into the formula until they 
eventually reach a prepositional formula, at which point they disappear and we are left 
with the required 3-free formula x that is equivalent to 3^9. Replacing 3ip' by x in ^/^ gives 
a result with one less 3-operator, to which the (original) induction hypothesis applies. □ 

Proposition 33 Let (f & C\/ be given and ip & C be equivalent to (f. If ip is a theorem in 
K, then (f is a theorem in RML. H 

Proof Given a G Cy, Proposition [32] gives us an equivalent ip & C Assume that is a 
theorem in K. We can extend the derivation of ■?/' to a derivation of (f by observing that 
all steps used in Proposition [32] are not merely logical but also provable equivalences — 
where we also apply Proposition [31] of substitution of equivalents. □ 

Theorem 34 The axiom schema RML is sound and complete for the logic RML. H 

Proof The soundness proof is given in Theorem [251 so we are left to show completeness. 
Suppose that ip E is valid: |= if. Applying Lemma [32] we know that there is some 
equivalent formula ip E C, i.e., not containing any refinement operator. As (p is valid, 
from that and the validity <H- it follows that ip is also valid in refinement modal logic, 
and therefore also valid in the logic K (note that the model class is the same). From the 
completeness of K it follows that ip is derivable, i.e. it is a theorem. From Proposition [33] 
it follows that (f is a theorem. □ 

5.4 The single-agent case 

The axiomatization for the single-agent case is the unlabelled version of RML, minus the 
axioms RKmulti and RKconj. The single- agent axiomatization was presented in |46] . 
The completeness proof there is (slightly) different from the multi-agent case of the proof 
here. In [l6] it is used that every refinement modal logical formula is equivalent to a formula 
in cover logic with the special syntax ip ::= ±|T|y9Vv9|pAv9|-ipAv9| V{(p, ■ ■ ■ ,(p} 
P, [28], plus induction on that form. (This syntax is of course very 'disjunctive formula 
like'.) That proof was suggested by Yde Venema, as a shorter alternative to the proof with 
disjunctive forms. 



34 



5.5 Refinement epistemic logic 

Refinement modal logic RML is presented with respect to the class of all models. As 
mentioned in Section 14.11 by restricting the class of models that the logic is interpreted 
over, we may associate different meanings with the modalities. For example, the epistemic 
logic S5, a.k.a. the logic of knowledge, is interpreted over the model class S5, and the 
logic of belief KD45 is interpreted over the class JCD45. Given any class of models C, the 
semantic interpretation of V is given by: 

Ms h V„(^ iff for all G C : M, ta M'^, implies [= ^. 

Thus we can consider various refinement epistemic logics. Although 3n± is a validity in 
RML (just remove all access) it is not so in refinement epistemic logic, interpreted on Sb 
models, because seriality of models must be preserved in every refinement. And therefore 
it is also not valid in refinement logic of belief. 

Our axiomatization RML may not be sound for more restricted model classes. Let us 
consider the single-agent case, and the axiom 

RK 3V$o/\o3<l>. 

For example, in Sb we have that 3V(np, -iDp) is inconsistent, but that 03np A 03-inp is 
consistent: you do not consider an informative development possible after which you both 
know and don't know p at the same time. Therefore, axiom RK is invalid for that class. 

The axioms replacing RK in refinement logic of knowledge and refinement logic of 
belief are, respectively: 

RS5 3V$ o (\/$ a/\o$), 

and 

RKD45 3V$ ^ /\ 0$, 

where $ is a set of purely propositional formulas. Now if apart from RS5 we also add the 
usual S5 axioms T, 4, and 5, we have a complete axiomatization for the refinement logic 
of knowledge. In the case of the refinement logic of belief, we add axioms D (for seriality), 
4, and 5 and RKD45 to get a complete axiomatization. For details, see [23] . 

A study of how various classes of models affect the properties of bisimulation quantified 
logics is given in [18]. Refinement epistemic logics are investigated in [231 ES]. In [22] a 
multi-agent KDAb axiomatization is also reported, a multi-agent 5*5 axiomatization is 
elusive so far. 

6 Axiomatization RML'^ 

In this section we give the axiomatization for refinement modal /z-calculus. We restrict 
ourselves to single-agent refinement modal /i-calculus. The axiomatization is an extension 
of the axiomatization RML for refinement modal logic. We recall the definition of modal 
/x-calculus in the technical introductory Section [2l 
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Definition 35 (axiomatization RML'^) The axiomatization RML^ is a substitution 
schema of the axioms and rules o/ RML (see Sectionl^, along with the axiom and rule 
for the modal fi-calculus: 

Fl (p[fix.ip\x] — )■ fix.ip 

F2 From ip[ilj\x] — infer fix.ip ijj 

and two new interaction axioms: 

Wfix.ip ^ fix.Wip where (p is a df 
R'^ "^ux.ip ra.V</3 where if is a, df 

We emphasize that the interaction axioms have the important associated condition that the 
refinement quantification will only commute with a fixed-point operator if the fixed-point 
formula is a disjunctive formula. 

6.1 Soundness 

The soundness proofs of Section 15.11 still apply and the soundness of Fl and F2 are well 
known [6j, so we are left to show that R'^ and R'' are sound. In the proof we use the 
characterization of refinement quantification in terms of bisimulation quantification and 
relativization that was established in Proposition |22l and we use the characterization of 
both fixed points in terms of bisimulation quantification as reported in Section O In order 
to make the construction work, we need to expand the translation t : C\j ^ C,^ (Definition 
[201) to a translation t : ^ by adding the clauses for fixed points from Section [2j 
tivx.ip) iff 3p{p A ■(p — )• t{({)[p\x\))) and t{fix.(p) iff Wp(M{t{(p[p\x]) — )■ p) — )■ p); and we 
need to expand definition : £y — )• £y of relativization (Definition [17]) to include a clause 
for the universal modality: (■</?)'" ^ Mip^. 

Theorem 36 The axioms R^ and IV are sound. H 
Proof The proof consists of two cases, R'^ and R*^. 
Case R'^ 

It is more convenient in this proof to reason about the axiom in its contrapositive 
form: ^ux.ip uxSip. The proof demonstrates that t(3z/x.(/9) is equivalent to t{i'x3ip) 
in bisimulation quantified logic (with the universal modality). Using the translation and 
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relativization equivalences above we have that, for any (/? e C\/: 

t{3i/x.(p) 4^ 3p tivx-ifY 

^ 3p(3g(gAB(g^t(v9))))P 
^ 3p'^q{q^{m{q^t{^))Y) 
^ 3p3q{qAm{q^t{cp)P)) 
^ 3q3p{qAm{q^t{ip)P)) 
^ 3q{q A3pm{q ^ t{ip)P)) 

3g(gAB3p(g^%)P)) (*) 
^ 3q{q A ■(g ^ 3p t{ip)P)) 
^ 3q{qAm{q^t{3^))) 
<^ t{i'x.3ip) 

This proof simply applies known validities of bisimulation quantifiers. Note that line (*) 
is not an equivalence. The other direction holds if 93 is a d/. This we now prove: 

Let iphesi df, then ^ 3q{q A ■3p(g ^ t(ipY)) 3q(q A 3pB(g ^ t(ipy)). (4) 

Suppose Ms is any countable model such that Mg \= 3q{q A M3p{q t{ipy)), where 
(p is a. df. By definition of the bisimulation quantifiers, there exists some model — 
{S^,R^,V^) such that Nt M, and Nt \^ q A M3p{q t{cp)P). Moreover, as the 
bisimulation quantified modal logic enjoys the tree-model property, we may assume without 
loss of generality that Nt is some tree-like model. 

We inductively build a series of models iV* = (S^ , , Vj) such that ci^*'^ Nt and Vi 
may differ from only for the variables p and g, that is Vi{p) = V^{p) for all r ^ {p, q}. 
Moreover, the series of {V^} is such that the sets Vi{q) and Vi{p) strictly increase. Its limit 
yields a valuation V^^ such that the model A^'^ = (iS^, , K;) satisfies q A M{q t{ipy) at 
state t, and N^ Mg. As a consequence Mg |= 3q{q A 3p(M{q — 7> t{ipy)). 

We now define the series {N"}i. We set Vo{q) = {t}, Vo{p) = 0. As Nt \= 3p t{if Y and 
(/? is a d/, the only case where the valuation of atom q may influence the interpretation of 
3p t{(fY is at a set of states such that all states beyond that set of states are irrelevant to 
the interpretation of 3p t{(pY at t (this set of states forms a frontier). This is because in a 
disjunctive form, if g is a sub-formula of then if q appears in the scope of a conjunction, it 
appears within the scope of a modality within that conjunction. Thus, there is a (possibly 
inflnite) set of states {uq,ui,...} G V^{q) such that the model N' — [S^ ,R' ,V') with 
V'{q) = {t,uo,uu...}, V\p) = y^(p) for p ^ {q,p} and R! = R''\{{ui,s)\s e = 
0,1,...}, is such that N^ \= t{ipY . Consequently the valuation of p may be restricted 
to states that are not reachable from any state, {uq,Ui, ...}, Let Sq C be the set of 
states reachable from t, but not reachable from Ui for any i. We define A^^ by setting 
Vi{q) = V'{q), V^{p) = V'{;p) n and Vi{p) = \/^(p) for p ^ {q,p}. As «o,«i, - e ^^(?) 
and Nt h ■3p(g t{cpY), we have Ar„. ^ ^ a ■(3p(g t{cpY) for aU i. 

As Ms is a countable model, we may assume an enumeration of the worlds (or states) 
in that model. The induction proceeds by taking the first state uo on the frontier and 
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repeating the process (i.e., finding a valuation V such that V makes q true on a frontier 
{vo,Vi, ...}, agrees with on the interpretation of all atoms except q and p, makes 
^Lo h ^i^y a^^d makes A^^,^ \= q ^ ■(3p(g -)■ t{(py)) for all i). We define V2 by taking 
the union of V2(g) = V'{q) and V2(p) = U iV'{p) fl S'l) where 5*1 is the set of states 

reachable from uq, but not from Vi for and i, and all other atoms have their valuations 
unchanged. The states {vq, Vi, ...} are added to the set of frontier states and the induction 
continues. The construction is represented in Figure [71 




Figure 7: The inductive step for the construction of A^"^. The formula t{ipy is independent 
of any state where p is not true, or any state beyond the frontier defined by Uo,Ui, .... 



Case R"^ 

We also use the contrapositive form of the axiom: 3fix.(f fix.3(f. For any (p E we 
have that: 

t{3fix.(p) -x^ 3p t{fix.{py 

^ 3p(Wq{m{t{^) ^ q) ^ q)y 

^ 3p\/q{m{t{(p)P g) ^ g) 

^ Vg3p(B(t(^)P ^q) ^ q) (**) 

^ Vg3p(#(t(^)P A -^q) V q) 

^ \/q{3pi{t{ipY A -^q) V q) 

^ \/q{^3p{t{ipy A -ig) V g) (* * *) 

^ Vg(#(3p t{^y A ^g) V g) 

^ Vg(B(3p t{(py ^ q) ^q) 

^ Vg(B(3y? ^ g) ^ g) 

■v^ t{^x.3(p) 

The equivalence in (***) is true because ♦ is the existential modality which quantifies over 
all state in the model. Obviously, the implication in line (**) is only true in one direction 
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(the usual quantifier swap 3V — V3). To prove the other direction in the equivalence 
3^x.!f ^ ^x3(f, we now show directly that |= fix3(f — > 3fix.ip in refinement /i-calculus, 
for ip a. df (observe that fix.ip is then a df as well). 

We use the inductive characterization of nxSip of [6j which tells that Mg \= ^x3ip if 
and only if s G ||3(/9||^ for some ordinal r, where we recall the definition of the semantic 
operation || • ||: ||3(/9||o = 0, and s G ||3(y9||T- whenever MJ |= 3(y9, where iVf^ = M''^' with 

(y = X^ Ur'<r W^VWr'- 

Suppose Ms 1= fix3ip. Since C!^ is bisimulation invariant, without loss of generality 
we may suppose that M is a countable tree-like model. As Mg satisfies fix3ip, there must 
be some least ordinal r whereby s G ||3y9||T-. We give a proof by induction over r that 
s G ||3(y9||T- implies Mg \= 3fix.(p. The base case where r = is trivial. Now consider 
M'^ = M^"'^ with 0" = X (— )■ IJr'<r ll^V^llr) thcu MJ 1= 3<y9. As nxip is a df, we are again 
in the case where there is a refinement of M"^ with a frontier such that x may only be 
true at s or on this frontier, and no point beyond the frontier affects the interpretation 
of (f. Formally, there is a set of states {uo,Ui,...} G V^(x) such that |= 3ip (i.e.. 
Mi 1= 3pt{ip)P), where M' = {S\ R', V) with 

• S" C S"^ is the set of states reachable from s, but not from any uf, 

• V'{x) = {t,uo,ui, ...}, V'{y) = V^'^iy) for y ^ x; and 

• R' = R^Miui, t) \ t e S^,i = 0, 1, ...}. 

We note that M'^ is a refinement of MJ. Now as for each i, Ui G ||3(y9||j for some j < r, by 
the inductive hypothesis we may assume there is some model iV* = (5**, i?*, V^) where A^*. ^ 
MJ. and A"*. |= fix.ip. We may append these models to M', to define M* = (S**, i?*, V^*) 
where S* = S'U[j,S\ R* = R'U[j, R'U{{t,v.i) \ {t,u,) G R'}, and V*iy) = V'{y)U[j,V'{y) 
for all y E P. (Notice the similar construction in the soundness proof of axiom RK.) It 
is clear that M* is a refinement of Mg, and by the axiom Fl we can see MJ |= nx.yD as 
required. □ 

We note that the general form of is not sound. For example, take ip = fiz.O{p 
q) — >■ 0(-'P — >■ x). Then \/fj,x.(p is true if p is true at every immediate successor of the 
current state, whereas fj,x.\/(p is only true at states with no successor. Likewise R^ is not 
true in the general case, as can be seen by taking ip = pA □(OT — )■ x). Then i/x.Vy9 is true 
if and only if p is true at every reachable state, and "^ux.ip is true only if p is true at every 
state within one step. 

6.2 Completeness 

The completeness proof of RML'^ proceeds exactly as for Theorem [Ml replacing the for- 
mulas in cover logic with disjunctive formulas, to get a statement similar to that of Propo- 
sition [321 

Proposition 37 Every formula of is equivalent to a formula of C^. H 
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Proof Given a formula ijj, we prove by induction on the number of the occurrences of 3 
in ip that it is equivalent to an 3-free formula, and therefore to a formula in the modal 
/i-calculus The base is trivial. Now assume contains n + 1 3-operators. Choose a 
subformula of type 3ip of our given formula ijj, where ip is 3-free (i.e. choose an innermost 
3). As (p is 3-free, it is semantically equivalent to a formula in disjunctive normal form, and 
by the completeness of Kozen's axiom system |19] this equivalence is provable in RML'^. 
By NecR and R it follows that 3^9 is provably equivalent to some formula ^ip where 
ip is a disjunctive formula. Thus without loss of generalization, we may assume in the 
following that ip is in disjunctive normal form. We may now proceed by induction over the 
complexity of (p, and conclude that 3(p is logically equivalent to a formula x without 3. 
All cases of this induction are as before, we only show the final two, different cases: 

• 3fj,x.ip iff fix3ip (by R'^ noting that all subformulas of a disjunctive formula are 
themselves disjunctive); IH. 

• 3i'x.(p iff uxSlp (by R'^); IH. 

Replacing 3(p by x in "^A gives a result with one less 3-operator, to which the (original) 
induction hypothesis applies. □ 

Theorem 38 The axiom schema RML^ is sound and complete for the logic RML'^ H 

Proof Soundness follows from Theorem [36] and Theorem |25l To see RML'^ is complete, 
suppose V9 G £y is a valid formula. Then by Lemma [371 is provably equivalent to some 
valid formula ip G C^. As ip is valid, it must be provable since Prop, K, Fl, F2, NecK, 
and MP give a sound and complete proof system for the modal /i-calculus |19]. A proof 
of ip follows by MP. □ 



7 Complexity 

Decidability for both £v and £y follows from the fact that a computable translation is 
given in the completeness proofs of Sections [5] and [6] note that the given translations, to C 
and respectively, are recursive and involve transforming formulas into their disjunctive 
normal forms. Hence they are non-elementary in the size of of the original formula. This 
non-elementary procedure for is optimal as shown in Section 17.11 below. 

Unfortunately we were not able to corroborate the lower complexity claims for RML 
reported in [56]. But towards some indication of a result in that direction, we further 
establish a doubly exponential succinctness proof for Cy in Section 17.21 

7.1 RIVIL^ is non- elementary 

This section is dedicated to the proof of the following result. 

Theorem 39 The satisfiability problem for RML^ is non- elementary, even for the single- 
agent setting. H 
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In the rest of this section, we only consider a single-agent setting. 

First, we recall a fragment, written CTL~, of the standard branching-time logic Com- 
putation Tree Logic (CTL) [12], which in turn is a fragment of (see also the example 
Section USD- 

CTL~ 3 if ::= T | ±| p | -k/? \ /\ip | Oip \ EFyj | AFcyj 

Let M be a model and s be a M-state. A path from s is a finite or infinite sequence of 
states TT = So, Si, . . . s.t. Sq = s and each Sj+i is an successor of Sj. Only the semantics of 
AF and EF is recalled (as for other formulas it is clear): 

Ms 1= EF(y9 iff there is a maximal path vr = sq, si, . . . from s and i > such that 

Ms, 1= if 

Ms 1= AFy) iff for each maximal path vr = sq, si, . . . from s, there is i > such that 

Ms, 1= ip2 

Directly translating CTL^ in £^ is routine via the following mapping r : CTL^ — )■ C^, 
defined by induction over the formulas: t(T) = T, r(p) = p, T{^(p) = -^r^ip), T{ip A ip') = 
r(v9) A r ((/}'), T{n(p) = Qif, r(Ov5) = O^f, t(EFv9) = fix.T{(p)V Ox, T{AF(p) = fix.T{(p)V ox. 

We also use standard abbreviations for the duals AGip iff -lEF-iip ('universal always'), 
and EG(p iff -lAf-np ('existential always'). A CTL~ formula is in positive form if negation is 
applied only to propositional variables. A CTL^ formula ip is existential if it is in positive 
form and there are no occurrences of universal modalities (that is AF) and modalities □. 
The following can be proved by using Proposition [71 enriched for the case of EF formulas 
(with a transfinite induction argument for this fixed-point formula). 

Proposition 40 Let Ms and Nt be two models with Ms >z Nt- Then for each existential 
CTL~ formula ip, Nt \= ip implies Ms \= ip. H 

Definition 41 (Refinement CTL~) Refinement CTL^ (CTL^ , for short) is the exten- 
sion of CTL~ with the refinement quantifiers 3 and V. H 

Definition 42 (Refinement Quantifier Alternation Depth) We first define the al- 
ternation length i{x) of finite sequence x ^ {3,V}* of quantifiers, as the number of al- 
ternations of existential and universal refinement quantifiers in x- Formally, i{e) = 0, 
i(Q) = for every Q E {3, V}*, and (i{QQ'x) = ((Q'x) ^f Q = Q' , ^iQ'x) + 1 otherwise. 

Given a C\f (resp., £y, resp., CTLy^ formula ip, the refinement quantifier alternation 
depth 5{ip) of ip is defined via the standard tree-encoding T{ip) of ip, where each node is 
labeled by either a modality, or a boolean connective, or a propositional variable. Then, 
6{ip) is the maximum of the alternation lengths £{x) where x is the sequence of refinement 
quantifiers along a maximal path ofT{ip) from the root. H 

Theorem 43 Let the class Ck = {ip E CTLy | 6{ip) < k}. The satisfiability problem for Ck 
is k-ExPSPACE-hard, for any k. H 
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Theorem |13] is proved by a polynomial-time reduction from satisfiability of Quantified 
Propositional Temporal Logic (QPTL) [i42j. First, we recall the syntax and the semantics 
of QPTL. The syntax of QPTL formulas over a countable set P of propositional variables 
is defined as follows: 

ip :■= p \ -lip \ ipAip\ip\/ip \ Xip I Fip I 3p.(p 

where p G P, X is the 'next' modality, F is the 'eventually' modality, and 3 is the existential 
quantifierjl We also use standard abbreviation Gy? for -iF-iy) ('always'). 

The semantics is given w.r.t. elements of (2'^)'^, namely infinite words w over 2^. Be- 
forehand, we need some technical notions. Let w G (2'^)'^. For each i > 0, w{i) denotes the 
ith symbol of w. Moreover, for each P' C P, we define the equivalence relation =pi over 
(2^)'^: two infinite words Wi and W2 are =p/ -equivalent whenever their projections onto P' 
are equal. The projection of an infinite word w onto P', written proj(iy,P'), is obtained 
by removing from each symbol of w all the propositions in P \ P' . Hence, Wi =p> W2 iff 
proj(iyi,P') = proj(M;2,P'). 

Given a QPTL formula an infinite word w over 2^, and a position h > along w, 
the satisfaction relation {w, h) \= ip is inductively defined as follows (we omit the clauses 
for the boolean connectives): 

{w, h) \= p iS p E w{h) 

(w, h) [= Xif iff {w,h + l) \=ip 

{w, h) \= Fip iff there is h' > h such that {w, h) |= ip 

{w, h) 1= 3p.ip iff there is w', w' =p\{p} w' and {w', h) \= ip 

We say that the word w satisfies ip, written w \= ip, if {w, 0) |= ip. A QPTL for- 
mula ip is in positive normal form if it is of the form QiPi.Q2P2- ■ ■ ■ QnPn-'Pn+i, where 
Qj G {3,V} for each 1 < j < n, and ipn+i is a quantification-free QPTL-formula in which 
negation is applied only to propositional variable^. The quantifier alternation depth of 
QiPi-Q2P2- ■ ■ ■ QnPn-'^n+i IS the number of alternations of (existential and universal) quan- 
tifiers in the string Q1Q2 ■ ■ ■ Qn- The following is a well-known result. 

Theorem 44 Let k > 0. Then, the satisfiability problem for the class of QPTL 
formulas in positive normal form whose quantifier alternation depth is k is fc-ExPSPACE- 
hard. H 

Note that Theorem |44] holds even if we assume that formulas in positive normal form 
like QiPi.Q2P2- ■ ■ ■ QnVn-Vn+i (with ipn+i quantificatiou-free) are such that pi, . . . ,pn are 
pairwise distinct, each proposition occurring in ipn+i is in {pi, . . . ,pn}, and Qn = V. 



Theorem |33] directly follows from Theorem HH and the following theorem, whose proof 
is given in the rest of this section. 

^We distinguish (domain) quantifiers 3 and V in use here, from the refinement quantifiers 3 and V, and 
from the bisimulation quantifiers 3 and V. 

■^Every QPTL formula is constructively equivalent to a formula in positive normal form, with linear 
size. 
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Theorem 45 For every (f G QPTL, one can construct in time polynomial in the size of (f 
a formula (f G CTL^ , such that (f is satisfiable if, and only if, (f is satisfiable. Moreover, 
the refinement quantifier alternation depth of if, 5{ip), is equal to the quantifier alternation 
depth of if. H 

Before proving Theorem HSj we need additional definitions. Let P = {pi, . . . and 
P = P U {po,Pi, . . . ,Pn}y where po, p^, . . . ,p^ are fresh propositional variables (intuitively, 
pj is used to encode the negation of Pi for each 1 < i < n, and po is a new variable that 
will be used to mark a path). For a model M and two states s and s' in M, s' is reachable 
from s if there is a finite path from s leading to s'. Let < j < n. A pointed model Mg 
(over P) is well-formed w.r.t. j if the following holds: 

1. for each state s' of M which is reachable from s, there is exactly one proposition 
p E P such that s' G V^{p) (we say that s' is a p-state); moreover, s is a po-state; 

2. each state s' reachable from s which is not a po-state has no successor; 

3. each po-state s' which is reachable from s satisfies: (i) s' has some po-successor, (ii) 
for all 1 < 2 < j, s' has either some p^-successor or some pj-successor, where the 'or' 
is exclusive due to 1., and (iii) for all j + 1 < i < n, s' has both a pj-successor and a 
Pj-successor. 

For each < j < n, the following CTL~ formula ipj over P characterizes the set of pointed 
models which are well-formed w.r.t. j: 

ijj := Po A Ag| [Wp^pip A Ap'ei5\|p} -p')] A [-po ^ oA-] A 

Po -> [Opo A A,+l<^<n(^P^ A Op,) A Ai<i<,(^fe V pj A (o^p, V a^Pi))] } 

In particular, it can be shown that ipQ enforces the existence of an infinite path labeled 
with Po and propositions of P all along. 

A pointed model Ms is well-formed if it is well-formed w.r.t. j for some < j < n. In 
this case, we say that Ms is minimal if, additionally, each po-state which is reachable from 
s has exactly one po-successor. 

A well- formed pointed model Ms encodes a set of infinite words over 2^, written 
words(Ms), given by: w G words(Ms) iff there is an infinite path vr = sq,si,... of M 
from s (note that vr consists of po-states) such that for all /i > and 1 < j < n, either 
Pj G w{h) and Sh has some p^-successor, or pj ^ w{h) and Sh has some p^-successor. 

Note that if Ms is well-formed w.r.t. 0, then words(Mj = (2-^)"^. If instead Ms is 
well-formed w.r.t. j for some < j < n and Ms is also minimal, then there is an infinite 
word Uj G (2{pi'-'Pi>)'^ such that words(M^) = {w e (2^)"^ | proj(t(7, {pi, . . .,pj}) = uj}. In 
particular, when j = n, words(Ms) is a singleton. 

Also, one can easily see that if Ms ^ Nt then words(Ms) ^ words(A^t). 
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Construction of the CTLy formula ip (in Theorem I45p . Pick an QPTL formula if = 

QlPl-Q2P2- ■ ■ ■ QnPn-^n+1- For each 1 < J < n, we let ipj = QjPj.Qj+lPj+l- ■ ■ ■ QnPn-^n+l 

(note that ipi corresponds to ip). 

First, we construct a CTLy formula ipj over P by using the CTL~ formulas for 
each 1 < i < n + 1. The construction is based on an induction on n + 1 — j = 0, . . . , n as 
follows: 

Base case (j = n + 1). Recall that v?n+i is a quantification-free QPTL formula in positive 
normal form over P. Let T be the following mapping from the set of quantification- 
free QPTL formulas ^ over P in positive normal form to the set of existential CTL^ 
formulas over P (it is defined by induction). 

• T(p) = Op and T(-ip) = Op for each p E P; 

• T(6 V 6) = T(ei) V T(6) and T(ei A 6) = T(6) A T(6); 

. T(XO = Oipo A T(0), T(FO = EF(po A T(0), and T(GO = EG(po A T(0). 

Then, := T(v9„+i). 

Induction case {1 < j < n). Recall (fj = QjPj.(pj^i. 

Then - / ^^"^^ ^ = 1 

Finally, the CTLy formula (p over P is given hj (p := ipo A pi. 



Correctness of the construction. Note that the size of p is polynomial in the size of 
p. Moreover, the refinement quantifier alternation depth of ip is equal to the quantifier 
alternation depth of p. Thus, in order to prove Theorem |45l it remains to show that p is 
satisfiable iff p is satisfiable. For this, we need three preliminary lemmata. 

Lemma 46 Let Ms be a pointed model which is well-formed w.r.t. n and minimal, with 
words{Ms) = {w}. Then, for each quantification-free QPTL formula ^ in positive normal 
form, w \= ^ if and only if Mg |= T (^) . H 

Proof Let tt = so,Si,... be the unique infinite path of M from state s (note that tt 
consists of po-states). Then, by a straightforward structural induction, one can show that 
for each quantification-free QPTL formula in positive normal form ^, the following holds: 
for all /i > 0, M,^ |= T(0 iff (w, h) ^ i- Hence, the resuh follows. □ 

Let < j < n and let be a pointed model which is well-formed w.r.t. j. For each 
j < -j < n, an h-segment of Mg is a refinement A^^ of Mg which is well-formed w.r.t. h and 
minimal. Note that for each w G words(Ms) and j < h < n, hj construction, there exists 
an /i-segment Nt of Mg such that w G \Nords{Nt). 

Lemma 47 Let 1 < j < n and Mg he a pointed model which is well-formed w.r.t. j — 1 
such that for each w G words{Ms) , w \= Pj. Then, Mg \= pj. H 
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Proof The proof is by induction on n — j = 0, . . . , n — 1. 

Base case (j = n). Recall = Wpn-^Pn+i, where (pn+i is a quantification-free QPTL 
formula in positive normal form. By construction, ^„ = W{ipn ~^ ^'(v^n+i) )• Let Nf 
be a refinement of Mg which satisfies formula ipn (if any). We need to show that 
Nt \= T{(fn+i)- By definition of ipn, Nt is well-formed w.r.t. n. Let A^^ be any n- 
segment of Nt, and let words(A^^) = {w}. By transitivity, A^^ is a refinement of Mg, 
so that w G words(Ms). Thus, by hypothesis, w \= ipn = Wpn-fn+i, which implies 
w \= fn+i- By LemmaHSl it follows that \= T{ipn+i)- Since A''^ is a refinement of 
Nt and T{(pn+i) is an existential CTL^ formula, by Proposition WJl we deduce that 
Nt \= T{{pn+i) as well. Hence, the result holds. 

Induction step {1 < j < n — 1). By construction, there are two cases: 

(1) (fj = 3pj.ipj+i and (pj = ^{ipj A (fj+i): let Wq G words(Afs). By hypothesis. 
Wo 1= ipj. Hence, there is infinite word w'q over 2^ such that w'q =p\^p.y wq and 
w'q 1= (fj+i- Since Mg is well-formed w.r.t. j — 1 and wq G words(Ms), it follows that 
w'q G words(Ms) as well. Let Ng be any j-segment of Mg such that Wq G words(A^s). 
By definition of ipj, Ng \= ipj. Thus, it suffices to show that A^^ |= (fj+i- Since 
Ng is well-formed w.r.t. j and minimal, and w'q G words(A^s), it holds that for each 
w' G words(A''s), w' =|pj w'q. Since every proposition in {pj+i, ■ ■ ■ ,Pn} does not 
occur free in fj+i and w'q \= (fj+i, it follows that for each w' G words(A^s), w' \= fj+i- 
Thus, by the induction hypothesis, we obtain that A^^ |= i^j+i, and the result holds. 

(2) ipj = Mpj.ipj^i and ipj = W{ipj — )■ ^j+i): let A^t be a refinement of Mg which 
satisfies formula ipj (if any). We need to show that Nt \= ^j+i- By definition of ipj, 
Nt is well-formed w.r.t. j. Thus, by the induction hypothesis it suffices to show that 
for each w G words(A^t), w \= v^j+i. Let w G words(A'i). Since Nt is a refinement of 
Mg, it holds that w G words(Ms). Thus, by hypothesis, w \= ipj = Wpj.Lpj+i. Hence, 
w \= (pj+i, and the result follows. 

□ 

Lemma 48 Let I < j < n and let Mg be a pointed model which is well-formed w.r.t. (j — 1) 
and such that Mg \= ifj. Then, there is a {j — l)-segment Nt of Mg such that Nt \= ifj and 
for each w G words{Nt), w \= (fj. H 

Proof The proof is by induction on n — j = 0, ... ,n — 1. Recall that <^n = Vp„.(y9„+i. 
Thus, by construction there are two cases: 

(1) (pj = Wpj.ipj+i and (fj = W{ipj — )■ (fj+i): let Nt be any (j — l)-segment of Mg. By 
hypothesis Mg \= ipj. Since every refinement of Nt is also a refinement of Mg, it follows that 
Nt 1= ifj. Thus, it suffices to show that for each w G words(A^t), w \= ipj. Fix w G words(A^t) 
and let w' be an infinite word over 2^ such that w' =p\{p,} w. Since A^^ is well-formed 
w.r.t. j — 1,w'e words(A^f) as well. Let A^^ be a j-segment of Nt such that w' G words(A^^). 
By definition of ipj, N'^ \= ipj. Thus, since A^^ |= ipj, we deduce that A^^ |= ^j+i. There are 
two cases: 
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• j = n {base step): by construction, words(A''^) is a singleton, (fn+i = ^{fn+i), and 
<fn+i is a quantification-free QPTL-formula in positive normal form. Since w' G 
words(iV^) and \= (fn+i, by Lemma l46l it follows that w' \= (pn+i- 

• j n — 1 {induction step): since w' G words(A''^) and A^^ |= (fj+i, by the induction 
hypothesis (note that since A^^ is minimal, for each j-segment A^^' of A^^, words (A^^') = 
words(A^^)), it follows that w' \= (fj+i- 

Thus, in both cases w' \= (fj+i- Since w' is an arbitrary infinite word over 2^ such that 
w' =p\{p^j w, we obtain that w \= \/pj.ipj+i = ipj, and the result follows. 
(2) (fj = 3pj.ipj+i, ifj = ^{ipj A (Pj+i), and j < n — 1 {induction step): since Mg \= i^j, 
there is a refinement A^^ of Mg satisfying both ipj and ipj-^i- By definition of ipj, Nf is 
well-formed w.r.t. j. Thus, since Nf \= ^Pj+i and j < n — 1, by the induction hypothesis, 
there is a j-segment A^^ of Nt such that A^^ |= ipj, \= (pj+i, and for each w G words(A^^), 
w 1= ipj+i- Since A"( is a refinement of Mg, it easily follows that A^^ is the refinement of 
some {j — l)-segment of Mg. Since A^^ |= ipj A (fj+i, it holds that \= (pj. Hence, it 
suffices to show that for each w G words(M^), w \= ipj. Let w G words(M^). Then, since 
(resp., A^^) is minimal and well-formed w.r.t. j — 1 (resp., j) and A^^ is a refinement 
of M^, it follows that there is w' G words(A^^) such that w' =p\^p.j w. Since w' \= fj+i, we 
obtain that w \= 3pj.ipj+i = ipj, and the result follows. □ 

Now, we can prove the correctness of the construction. 
Theorem 49 ip is satisfiable if, and only if, ip is satisfiable. H 

Proof First, assume that ip = ipo A ipi is satisfiable. Hence, there is a pointed model Mg 
which satisfies both ipo and ipi. By definition of formula ipo, it follows that Mg is well- 
formed w.r.t. 0. Since Mg |= i^i, by Lemma HHl we deduce that there is an infinite word w 
over 2^ such that w \= p>i. Since p> = p>i, it follows that p> is satisfiable. 

Now, assume that ip is satisfiable. Since any proposition in P does not occurs free 
in (p, it follows that for each infinite word w over 2^, w \= (p. Let Mg be any pointed 
model which is well-formed w.r.t. 0. By definition of formula ipQ, it holds that Mg \= ipQ. 
Moreover, since w \= ip for each w G words(Ms), and ip = ipi, hj Lemma l47l it follows that 
Mg 1= ipi. Therefore, Mg \= ipQ A ipi = ip. Hence, ip is satisfiable. □ 

By using Theorems SU Theorem H5| and the fact that there exists a linear time transla- 
tion of CTL~(D CTLy ) into £y (see pageHI]), we obtain a proof of Theorem [5^ s statement, 
given at the beginning of this section. 

7.2 Succinctness 

In this section we establish the following result. 

Theorem 50 RML is doubly exponentially more succinct than K, and RML^ is doubly 
exponentially more succinct than modal ^-calculus. H 
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Theorem [50] directly follows from the following result whose proof is given in the rest 
of this section. 

Proposition 51 There is a finite set P of propositional variables and a family {ipn)ne'N of 
one-agent C\j formulas over P such that for each n G N, has size 0{n'^) and refining 
nesting depth 2, and each equivalent one-agent formula has size at least 2^"'"' . H 

Construction of the C\j formulas ipn in Proposition I51t let P = {/, r, 0, 1, a, 6}. 

A n- configuration is a string on {a,b} of length exactly 2^". We define a class C„ of 
pointed models, where each pointed model in the class encodes in a suitable way a pair of 
n-configurations. Then, we construct the £v formula <^n in such a way that the following 
holds: a pointed model Ms G C„ satisfies ipn iff the two ri-configurations encoded by Ms 
coincide. In order to formally define the class C„, we need additional definitions. A n-block 
is a pair bl = (c, i) such that c G {a, 6} and 1 < i < 2^" . We say that c is the content of bl 
and i is the position of bl. Intuitively, bl represent the ith symbol of some n-configuration. 
First, we define an encoding of (c, i) by a set code{c,i) of strings over 2^ of length n + 3. 
Since 1 < i < 2^", i can be encoded by a binary string over {0, 1} of length exactly 2^. 
Moreover, we keep track for each 1 < j < 2^, of the binary encoding (a string over {0, 1} 
of length n)0 of the position j of the jth. bit in the binary encoding of i. This leads to 
the following definition. A n- sub-block is a string over 2^ of length n + 2 of the form 
sbl = {#}, {bl}, . . . , {bn}, {B}, where bi, . . . ,bn, B G {0, 1}. The content of sbl is B and 
the position of sbl is the integer 1 < j < 2" whose binary encoding is bi, ... ,bn- Intuitively, 
sbl encodes the position and the content B of a. bit along the binary encoding of an integer 
1 < i < 2^". Then, code(c, i) is the set of strings over 2^ of length n + 3 such that 

• for each u G code(c, i), u = sbl ■ {c}, where sbl is a n-sub-block whose position j and 
content b satisfy the following: b is the jth bit in the binary encoding of i. 

• for each 1 < j < 2", let Bj be the jth bit in the binary encoding of i and sblj be the 
ra-sub-block whose position is j and whose content is Bj. Then, sblj ■ {c} G code(c, i). 

Let Ms be a pointed model over P. We denote by Traces(M5) the set of finite or infinite 
strings over 2^ of the form {V^)~^{sq), {V^)~^{si), . . . such that Sq,Si, . . . is a maximal 
path of M starting from s. A pointed model Ms encodes a n-block {c,i) if 

n— 1 

Traces(M,) = code(c,i) and M, |= f\ d'^{01 A OO) G £ 

d=0 

Note that the set of pointed models encoding (c, i) is nonempty. Let {wi,Wr) be a pair of 
n-configurations. A pointed model Ms encodes the pair {wi,Wr) if it holds that: 

• s has two successors si and Sr (called the left successor and right successor of s, 
respectively). Moreover, {V^^^)-\s) = 0, {V^)-^{si) = {1} and {V^)-^{sr) = {r}; 

*here, it is not relevant to specify the form of the binary encoding which is used 
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• for each dir G {^,t}, Sdir has 2^" successors Si^dir, ■ ■ ■ , S2'2" ^dir- Moreover, for each 
1 <i < 2^", Mg^^.^ encodes the n-block {ci^dir,i), where Ci^dir is the ith symbol of the 
n-configuration Wdir- 

If additionally wi = Wr, then we say that Mg is well-formed. The class C„ is the class of 
pointed models Mg such that M<, encodes some pair {wi,Wr) of n-configurations. In order 
to define the Cy formula ipn (for each n > 0), first, we show the following result. Intuitively, 
Lemma 152] asserts that there is a £v formula ipn of size 0{n'^) which allows to select for a 
given pointed model Mg G C„, only the n-blocks encoded by Mg having the same position. 

Lemma 52 For each n > 0, one can construct a one-agent C\/ formula ipn of size 0{n'^) 
and refinement nesting depth 1 satisfying the following for all pairs {wi, Wr) of n-configurations: 
for each Mg G C„ encoding the pair {wi,Wr) and each refinement M'^, of Mg, 

• M'g, satisfies ipn iff there zs 1 < i < 2^" such that the set of ^-states (i.e. states whose 
label is s'^ reachable from s' is nonempty and for each of such states s'^, M'^, 
encodes a n-block whose position is i and whose content is either the ith symbol of wi 
or the ith symbol of Wr. H 

Proof The £v formula ipn is defined as follows: 

:= in A V(^^„ ^ V D^+^fc) 
6e{o,i} 

where ^„ and On are £ formulas defined as follows: 

n-l 

^„ := or A DOT A j\ □'^+^(01 A OO) A □"^^OT A n^+^OT 

d=0 

n 

9n := OT A DOT A n^OT A /\ \/ A OT) A n^+^^OT 

d=i be{o,i} 

Note that ipn has size O(n^) and that S{ipn) = 1 (refinement alternation depth). Thus, it 
remains to prove the second part of the lemma. Fix Mg G C„ encoding some pair {wi,Wr) 
of n-configurations, and let M^, be a refinement of Mg. By construction, for each ^-state 
s'^ reachable from s' in M', there is a 7^-state s# reachable from s in M such that M^, is 

a refinement of Mg^. Moreover, Mg^ encodes some n-block {c,i), where the content c is 
either the ith symbol of wi or the ith symbol of Wr. Thus, by definition of we obtain 
the following. 

Fact 1: M^, satisfies ^„ iff the set of 7^-states s'^ reachable from s' is nonempty and for 
each of such states s'^, M'^, encodes some n-block {c,i), where the content c is either the 
zth symbol of wi or the ith symbol of Wr. 

In the second conjunct W{9n — ?• VbG{o 1} n"^'^^) in definition of ipn, the formula 9n 
intuitively enforces to select the refinements M'^, of Mg encoding only ra-blocks having the 
same position. Formally, by definition of On, we obtain the following. 
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Fact 2: Let M'J„ be a refinement of M^,. Tlien, M'J„ satisfies 9n iff for all u,u' G 
Traces(M^',), u,u' G Traces(Ms) and the n-sub-block in u and the n-sub-block in u' have 
the same position. 

Thus, by Fact 2 it follows that the second conjunct V(6'„ — )■ Vbejo 1} o"'~^^b) in definition 
of ■j/'n requires that all the n-sub-blocks in Traces(My) having the same position have also 
the same content, i.e., all the ra-blocks encoded by M^, have the same position. Thus, by 
Fact 1 the result follows. □ 

For each n > 0, let ipn be the £v formula satisfying the statement of Lemma [521 Then, the 
one-agent £v formula (pn is defined as follows: 

ce{a,6} 

By construction and Lemma [52| we easily obtain the following result. 

Lemma 53 For each n> 0, the £v formula ipn has size 0{n'^) and S{ipn) = 2 (refinement 
alternation depth). Moreover, for each Mg G Cn, Ms satisfies (fn iff Mg is well-formed. H 

Proof of Proposition I51t by Lemma [53l in order to complete the proof of Proposi- 
tion [511 we need to show that for each n > 0, each one-agent formula equivalent to (fn 
has size at least 2^"'"\ For this, we use a well-known automata-characterization of (one- 
agent) in terms of parity symmetric alternating (finite-state) automata (PSAA) which 
operate on pointed models [50j. First, we recall the class of PSAA. We need additional 
definitions. 

A tree T is a prefix closed subset of N*. The elements of T are called nodes and the 
empty word e is the root of T. For x G T, the set of children of x (in T) is {x-i G T | i G N}. 
A path of T is a maximal sequence vr = xqXi ... of T-nodes such that xq = e and for any 
z, x^-j-i IS a child of Xi. For an alphabet S, a S-labeled tree is a pair (T, r) where T is a 
tree and r : T — )■ S. For a set X, B+{X) denotes the set of positive boolean formulas over 
X, built from elements in X using V and A (we also allow the formulas true and false). 
A subset Y of X satisfies 9 G i3+(X) iff the truth assignment that assigns true to the 
elements in Y and false to the elements oi X\Y satisfies 9. 

A PSAA over P is a tuple A = {P,Q,qo,6,Acc), where Q is a finite set of locations, 
qo & Q is an initial location, 6 : Q x 2^ ^ i3+({n,0} x Q) is the transition function, 
and Ace : Q — N is a parity acceptance condition assigning to each location g G Q an 
integer (called priority). Intuitively, a target of a move of A is encoded by an element in 
{□, 0} X Q. An atom {O, q) means that a copy of A in location q moves to some successor 
of the current state (of the pointed model in input), while an atom {n,q) means that for 
each successor s of the current state, a copy of A in location q is sent to state s. Formally, 
for a pointed model Mg^ over P, a run of A over Mg^ is a (Q x S'^'^)-labeled tree {T,r), 
where each node of T labeled by (g, s) describes a copy of A that is in location q and reads 
the state s of M. Moreover, we require that r{e) = (go, Sq) (initially, A is in in the initial 
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location go reading state sq), and for each y G T with r{y) = (g, s), there is a (possibly 
empty) minimal set H C {□, O} y< Q satisfying 6{q, (y'^'^)'^{s)) such that the set L{y) of 
labels of children of ?/ in T is the smallest set satisfying the following: for all atoms at G H, 

• if at = {0,q'), then for some successor s' of s in M, {q',s') G 

• if at = (□, g'), then for each successor s' of s in M, (g', s') G 

For an infinite path vr = yoyi ... of T, let m/(7r) be the set of locations in Q that appear 
in r{yo)r{yi) . . . infinitely often. The run (T, r) is accepting if for each infinite path vr of 
T, the smallest priority of the locations in inf{7v) is even. The language of ^ is the set of 
pointed models Mg over P such that ^ has an accepting run over Mg. The following is a 
well-known result. 

Proposition 54 J5^ Given a one-agent formula (f over P , one can construct a PSAA 
with 0{\ip\) locations whose language is the set of pointed models over P satisfying Lp.-\ 

Proposition [5T] directly follows from Proposition [5^ and the following result. 

Lemma 55 Let n > and An he a PSAA over P whose language is the set of pointed 
models satisfying the C\f formula (pn- Then, the number of locations of An is at least 2^".H 

Proof Let n > and An as in the statement of the lemma, and Q be the set of An- 
locations. For each ^-configuration w, let Mf^ be some well-formed pointed model encoding 
the pair {w,w), and H{w) be the set of sets Qi Q such that there is an accepting run 
(T, r) of An over the pointed model so that: 

• Qi is the set of locations associated with the copies of An in the run (T, r) which read 
the left successor si of in M'^, i.e., Qi = {q ^ Q \ for some x E T, r{x) = (g, si)}. 

By hypothesis, H{w) ^ 0. Moreover, 

Claim: for all n-configurations w and w' such that w ^ w', H{w) fl H(w') = 0. 
Proof of the claim: for a model M and a set S' C S'^ , the restriction of M to S' is 
defined in the obvious way. For s G S*^^, [Mg] denote the restriction of M to the set of 
states reachable from s in M. For all ^-configurations w and dir G {l,r}, let Sw,dir be the 
(iir-successor of in M^. We prove the claim by contradiction. So, assume that there 
are two distinct n-configurations w and w' such that H{w) fl H{w') ^ 0. Without loss of 
generality we can assume that and have no states in common. Let M"^^^ be any 
pointed model satisfying the following: the successors of in M"''"' are s^'^i and Sw^r^ and 
[Mff^] = [M]^', J and [M^^"^'] = [M]^J. Evidently, M^j^""' is a pointed model encoding 

the pair (w',w). Since w ^ w', by hypothesis and Lemma [53| ^„ does not accept Mf^^'. 
On the other hand, since there is Q G H{w) fl H[w'), by definition of the sets H{w) and 
H{w') and the semantics of PSAA, it easily follows that there is an accepting run of An 
over Mf''" , which is a contradiction. Hence, the claim holds. 
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By the claim above, it follows that for each n-configuration there is e H{w) 
(recall that H{w) 7^ 0) such that for all n-configurations w' distinct from w. Q^j ^ H{w'). 
Since the number of distinct n-configurations is 2 and the number of subsets of Q is 
2l^l, we obtain that |(5| > 2^", and the result holds. □ 

8 Conclusions and perspectives 

We conclude that we hope to have estabhshed a platform for structural refinement in 
various modal logics. We established results on axiomatization, complexity, expressivity, 
and we gave applications to software verification and design, and to dynamic epistemic 
logics. We clearly established the relation to bisimulation quantified logics: refinement 
quantification is bisimulation followed by relativization. The multi-agent refinement modal 
logic and the furthest generahzation in the form of refinement /x-calculus are only the 
beginning. One could think of refinement CTL, refinement PDL, refinement epistemic 
logics, refinement with further structural restrictions or with protocol restrictions, and so 
on. Each of these logics may have different axiomatizations and complexities, and equal 
expressivity as the refinement- less version is certainly not to be expected; e.g., we estimate 
that refinement modal logic is more expressive than the base modal logic on the JCT model 
class. 

A number of perspectives appear both nearby and on the further horizon. We wish 
to resolve the issue of the complexity of refinement modal logic (we only have resolved 
the issue for refinement /i-calculus). Complexity of model checking in the logics has not 
been addressed. Given applications in the logics of knowledge and multi-agent system 
architecture, the axiomatization refinement epistemic logic, interpreted on the class of 
multi-iS5 models, is a coveted price that so far escaped us. 

On the further horizon loom the detailed investigation of ot/ier refinement logics, mainly 
refinement PDL and refinement CTL, and the exploration of their applications. The re- 
lation of refinement quantification and other form of prepositional quantification over in- 
formation change (quantifying over announcements, quantifying over action models) needs 
closer investigation, and results to be obtained in that area are unclear. 
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